sanitization

package
v1.0.74 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 24, 2025 License: Apache-2.0 Imports: 5 Imported by: 0

Documentation

Overview

Package sanitization provides centralized data sanitization utilities to prevent sensitive data exposure across the Lift framework.

Index

Constants

This section is empty.

Variables

View Source 
var AllowedFields = map[string]bool{
	"card_bin":   true,
	"card_brand": true,
	"card_type":  true,
}

AllowedFields are field names that should bypass sanitization.

View Source 
var PaymentXMLPatterns = []XMLSanitizationPattern{

	{
		Name:        "AcctNum",
		Pattern:     regexp.MustCompile(`<AcctNum>(\d{12,19})</AcctNum>`),
		MaskingFunc: MaskCardNumber,
	},
	{
		Name:        "AcctNum_Escaped",
		Pattern:     regexp.MustCompile(`&lt;AcctNum&gt;(\d{12,19})&lt;/AcctNum&gt;`),
		MaskingFunc: MaskCardNumber,
	},

	{
		Name:        "CardExpiryDate",
		Pattern:     regexp.MustCompile(`<CardExpiryDate>(\d+)</CardExpiryDate>`),
		MaskingFunc: MaskCompletelyFunc("****"),
	},
	{
		Name:        "CardExpiryDate_Escaped",
		Pattern:     regexp.MustCompile(`&lt;CardExpiryDate&gt;(\d+)&lt;/CardExpiryDate&gt;`),
		MaskingFunc: MaskCompletelyFunc("****"),
	},

	{
		Name:        "CCVData",
		Pattern:     regexp.MustCompile(`<CCVData>(\d+)</CCVData>`),
		MaskingFunc: MaskCompletelyFunc("***"),
	},
	{
		Name:        "CCVData_Escaped",
		Pattern:     regexp.MustCompile(`&lt;CCVData&gt;(\d+)&lt;/CCVData&gt;`),
		MaskingFunc: MaskCompletelyFunc("***"),
	},

	{
		Name:        "CVV",
		Pattern:     regexp.MustCompile(`<CVV>(\d+)</CVV>`),
		MaskingFunc: MaskCompletelyFunc("***"),
	},
	{
		Name:        "CVV_Escaped",
		Pattern:     regexp.MustCompile(`&lt;CVV&gt;(\d+)&lt;/CVV&gt;`),
		MaskingFunc: MaskCompletelyFunc("***"),
	},

	{
		Name:        "SecurityCode",
		Pattern:     regexp.MustCompile(`<SecurityCode>(\d+)</SecurityCode>`),
		MaskingFunc: MaskCompletelyFunc("***"),
	},
	{
		Name:        "SecurityCode_Escaped",
		Pattern:     regexp.MustCompile(`&lt;SecurityCode&gt;(\d+)&lt;/SecurityCode&gt;`),
		MaskingFunc: MaskCompletelyFunc("***"),
	},

	{
		Name:        "TransArmorToken",
		Pattern:     regexp.MustCompile(`<TransArmorToken>([^<]+)</TransArmorToken>`),
		MaskingFunc: MaskTokenLastFour,
	},
	{
		Name:        "TransArmorToken_Escaped",
		Pattern:     regexp.MustCompile(`&lt;TransArmorToken&gt;([^<]+)&lt;/TransArmorToken&gt;`),
		MaskingFunc: MaskTokenLastFour,
	},

	{
		Name:        "SSN",
		Pattern:     regexp.MustCompile(`<SSN>([^<]+)</SSN>`),
		MaskingFunc: MaskCompletelyFunc("****"),
	},
	{
		Name:        "SSN_Escaped",
		Pattern:     regexp.MustCompile(`&lt;SSN&gt;([^<]+)&lt;/SSN&gt;`),
		MaskingFunc: MaskCompletelyFunc("****"),
	},

	{
		Name:        "TaxID",
		Pattern:     regexp.MustCompile(`<TaxID>([^<]+)</TaxID>`),
		MaskingFunc: MaskCompletelyFunc("****"),
	},
	{
		Name:        "TaxID_Escaped",
		Pattern:     regexp.MustCompile(`&lt;TaxID&gt;([^<]+)&lt;/TaxID&gt;`),
		MaskingFunc: MaskCompletelyFunc("****"),
	},

	{
		Name:        "TaxId",
		Pattern:     regexp.MustCompile(`<TaxId>([^<]+)</TaxId>`),
		MaskingFunc: MaskCompletelyFunc("****"),
	},
	{
		Name:        "TaxId_Escaped",
		Pattern:     regexp.MustCompile(`&lt;TaxId&gt;([^<]+)&lt;/TaxId&gt;`),
		MaskingFunc: MaskCompletelyFunc("****"),
	},

	{
		Name:        "PIN",
		Pattern:     regexp.MustCompile(`<PIN>([^<]+)</PIN>`),
		MaskingFunc: MaskCompletelyFunc("****"),
	},
	{
		Name:        "PIN_Escaped",
		Pattern:     regexp.MustCompile(`&lt;PIN&gt;([^<]+)&lt;/PIN&gt;`),
		MaskingFunc: MaskCompletelyFunc("****"),
	},

	{
		Name:        "AccountNumber",
		Pattern:     regexp.MustCompile(`<AccountNumber>(\d{4,17})</AccountNumber>`),
		MaskingFunc: MaskCardNumber,
	},
	{
		Name:        "AccountNumber_Escaped",
		Pattern:     regexp.MustCompile(`&lt;AccountNumber&gt;(\d{4,17})&lt;/AccountNumber&gt;`),
		MaskingFunc: MaskCardNumber,
	},

	{
		Name:        "RoutingNumber",
		Pattern:     regexp.MustCompile(`<RoutingNumber>(\d{9})</RoutingNumber>`),
		MaskingFunc: MaskCardNumber,
	},
	{
		Name:        "RoutingNumber_Escaped",
		Pattern:     regexp.MustCompile(`&lt;RoutingNumber&gt;(\d{9})&lt;/RoutingNumber&gt;`),
		MaskingFunc: MaskCardNumber,
	},
}

PaymentXMLPatterns contains pre-configured patterns for common payment processing XML elements These patterns handle both regular XML and HTML-escaped XML for maximum compatibility

Usage: 

sanitized := sanitization.SanitizeXML(xmlString, sanitization.PaymentXMLPatterns)

Patterns are applied in order, so more specific patterns should come before general ones.

View Source 
var RapidConnectXMLPatterns = PaymentXMLPatterns

RapidConnectXMLPatterns is an alias for PaymentXMLPatterns for backward compatibility and explicit use with Rapid Connect (FiServ) integrations

View Source 
var SensitiveFields = map[string]SanitizationType{

	"cvv":           FullyRedact,
	"security_code": FullyRedact,
	"cvv2":          FullyRedact,
	"cvc":           FullyRedact,
	"cvc2":          FullyRedact,

	"card_number": PartialMask,
	"number":      PartialMask,

	"account_number": PartialMask,
	"ssn":            PartialMask,
	"tin":            PartialMask,
	"tax_id":         PartialMask,
	"ein":            PartialMask,

	"password":    FullyRedact,
	"secret":      FullyRedact,
	"private_key": FullyRedact,
	"secret_key":  FullyRedact,

	"api_token":            FullyRedact,
	"authorization":        FullyRedact,
	"authorization_id":     FullyRedact,
	"authorization_header": FullyRedact,
}

SensitiveFields defines fields that require explicit sanitization behavior.

Functions

func MaskCardNumber added in v1.0.65 

func MaskCardNumber(match string) string

MaskCardNumber shows only last 4 digits of card numbers (PCI DSS compliant) Handles both <AcctNum>1234567890123456</AcctNum> and HTML-escaped variants

func MaskCompletelyFunc added in v1.0.65 

func MaskCompletelyFunc(replacement string) func(string) string

MaskCompletelyFunc returns a function that masks a field completely with a replacement string Used for highly sensitive fields like CVV, SSN, expiry dates

func MaskTokenLastFour added in v1.0.65 

func MaskTokenLastFour(match string) string

MaskTokenLastFour shows only last 4 characters of tokens Used for TransArmorToken and similar processor tokens

func SanitizeFieldValue 

func SanitizeFieldValue(key string, value any) any

SanitizeFieldValue uses the default sanitizer

func SanitizeHeaders 

func SanitizeHeaders(headers map[string][]string) map[string]string

SanitizeHeaders uses the default sanitizer

func SanitizeJSON added in v1.0.65 

func SanitizeJSON(jsonBytes []byte) string

SanitizeJSON recursively sanitizes JSON data for logging Returns a formatted JSON string with sensitive data masked using Lift's field sanitization

Example: 

reqJSON, _ := json.Marshal(paymentRequest)
logger.Info("Processing payment", map[string]any{
    "request_json": sanitization.SanitizeJSON(reqJSON),
})

Output will mask sensitive fields like card_number, cvv, ssn, etc. based on Lift's DataClassification system while preserving the JSON structure.

func SanitizeMap 

func SanitizeMap(data map[string]any) map[string]any

SanitizeMap uses the default sanitizer

func SanitizeQueryParams 

func SanitizeQueryParams(params map[string][]string) map[string]string

SanitizeQueryParams uses the default sanitizer

func SanitizeXML added in v1.0.65 

func SanitizeXML(xmlString string, patterns []XMLSanitizationPattern) string

SanitizeXML sanitizes XML content using configurable patterns Supports both regular XML (<AcctNum>...</AcctNum>) and HTML-escaped XML (&lt;AcctNum&gt;...&lt;/AcctNum&gt;)

Example: 

xmlRequest := buildRapidConnectXML(...)
logger.Info("Sending request", map[string]any{
    "xml_request": sanitization.SanitizeXML(xmlRequest, sanitization.PaymentXMLPatterns),
})

The function applies each pattern in sequence to the XML string, allowing for comprehensive masking of sensitive data.

Types

type SanitizationType added in v1.0.68 

type SanitizationType int

SanitizationType defines how to sanitize a field 

const (
	FullyRedact SanitizationType = iota // Replace with "[REDACTED]"
	PartialMask                         // Show partial data (e.g., last 4 digits)
)

type Sanitizer 

type Sanitizer struct {
	// contains filtered or unexported fields
}

Sanitizer provides methods for sanitizing various types of data

func Default 

func Default() *Sanitizer

Default returns a sanitizer with default data protection configuration

func New 

func New(dpm *security.DataProtectionManager) *Sanitizer

New creates a new Sanitizer with a data protection manager

func (*Sanitizer) SanitizeFieldValue 

func (s *Sanitizer) SanitizeFieldValue(key string, value any) any

SanitizeFieldValue sanitizes a field value based on its key name and data classification

func (*Sanitizer) SanitizeHeaders 

func (s *Sanitizer) SanitizeHeaders(headers map[string][]string) map[string]string

SanitizeHeaders removes sensitive headers from a map

func (*Sanitizer) SanitizeMap 

func (s *Sanitizer) SanitizeMap(data map[string]any) map[string]any

SanitizeMap applies sanitization to all values in a map

func (*Sanitizer) SanitizeQueryParams 

func (s *Sanitizer) SanitizeQueryParams(params map[string][]string) map[string]string

SanitizeQueryParams sanitizes query parameters

type XMLSanitizationPattern added in v1.0.65 

type XMLSanitizationPattern struct {
	Pattern     *regexp.Regexp            // Regex to match XML elements (both regular and HTML-escaped)
	MaskingFunc func(match string) string // Function to mask the matched value
	Name        string                    // Descriptive name for the pattern (e.g., "AcctNum", "CVV")
}

XMLSanitizationPattern defines a regex-based sanitization rule for XML elements

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.