Description
https://github.com/h1thub/SecureJS/blob/main/internal/matcher/matcher.go
if splitPos != -1 {
// 说明找到了分隔符,进行拆分
key := text[:splitPos]
value := text[splitPos+1:] // 从分隔符的下一个字符开始到末尾都算 value
// 转小写并去除首尾的引号、空格
key = strings.ToLower(strings.Trim(key, `"' `))
value = strings.ToLower(strings.Trim(value, `"' `))
// ① 如果 key 命中“前置过滤关键词”,则过滤
if preKeywordRegex.MatchString(key) {
shouldFilter = true
}
// ② value 中出现“普通过滤关键词”,则过滤
if keywordRegex.MatchString(value) {
shouldFilter = true
}
// ③ value 中包含中文字符,也过滤
if chineseRegex.MatchString(value) {
shouldFilter = true
}
}
if !shouldFilter {
filteredItems = append(filteredItems, item)
}
Description:
The filterMatchedItems function does not correctly filter matched items that lack a colon (:) or equals sign (=) delimiter. When a matched text has no delimiter, the entire text is not checked for Chinese characters or keywords, leading to false positives (unfiltered sensitive data).
Affected Component:
matcher/filterMatchedItems function in the matching logic.
Steps to Reproduce:
Define a regex rule that matches strings without delimiters (e.g., \b\w+\b).
Parse a response containing text like 中国 or password123 (keyword substring).
Run MatchAll and observe the results.
Actual Result: These non-delimited items appear in the output.
Expected Result: Items containing Chinese characters or keywords should be filtered out.
Additional Notes:
Ensure the entire text is checked for Chinese characters even without delimiters.
Update the keyword checks to apply to the full text when no delimiter exists.
Consider edge cases like empty values (e.g., key:) and adjust filtering accordingly.