Skip to content

fix: string masking and redaction#477

Open
arunmish-visa wants to merge 3 commits into
AuthorizeNet:masterfrom
arunmish-visa:feature/security-enhancements
Open

fix: string masking and redaction#477
arunmish-visa wants to merge 3 commits into
AuthorizeNet:masterfrom
arunmish-visa:feature/security-enhancements

Conversation

@arunmish-visa
Copy link
Copy Markdown
Contributor

@arunmish-visa arunmish-visa commented Jun 2, 2026

No description provided.

@arunmish-visa
Create LICENSE-COMMERCIAL.txt
a89d3bc
@arunmish-visa
fix: string masking and redaction
9093bdc
@arunmish-visa
fix(security): add JSON-key-aware masking, dotall flag, and remove ra…
9f68beb 
…w body logging

Critical fixes for AISAST-10703:

1. Log.php - addDelimiterFwdSlash(): Add 's' (dotall) flag so sensitive values
   spanning newlines are matched by XML regex patterns.

2. Log.php - NEW maskSensitiveJsonString(): Add JSON-key-aware masking that
   handles the actual wire format (json_encode) used by ApiOperationBase.
   Masks cardNumber, cardCode, transactionKey, expirationDate, accountNumber,
   and nameOnAccount in JSON payloads using key-value regex patterns.

3. Log.php - getMasked(): Chain maskSensitiveJsonString() after XML masking
   so both formats are covered before credit card regex runs.

4. HttpClient.php line 77: Remove raw request body logging; log only
   payload length (payloadLength=N).

5. HttpClient.php line 96: Remove raw response body logging; log only
   HTTP status code and response length.

6. Add comprehensive PHPUnit tests (LogMaskingTest.php) covering:
   - JSON key masking for all sensitive fields
   - Multiple occurrences of same sensitive tag
   - Multi-line XML values (dotall coverage)
   - Credit card regex in freetext
   - Combined JSON + freetext scenarios
   - Edge cases (empty string, non-sensitive preservation)

Addresses: PCI A3.2.6, KC 7.10.9, security-logging-dsr 11.2
@WillCodeForCats WillCodeForCats mentioned this pull request Jun 3, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@arunmish-visa