From 64b4fb06d934a80dbcbbfa9d18217cc022d88371 Mon Sep 17 00:00:00 2001 From: Muhammed Mirac Kayikci <134744464+mirackayikci@users.noreply.github.com> Date: Wed, 17 Jun 2026 19:59:25 +0300 Subject: [PATCH 1/5] Redact sensitive headers in HTTP request/response logs Added redactSensitiveHeaders funciton to mask sensitive headers in HTTP dumps --- cmd/vulnx/clis/common.go | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/cmd/vulnx/clis/common.go b/cmd/vulnx/clis/common.go index 8280be1..c091a23 100644 --- a/cmd/vulnx/clis/common.go +++ b/cmd/vulnx/clis/common.go @@ -274,7 +274,7 @@ func ensureVulnxClientInitialized(_ *cobra.Command) error { if err == nil { var sb strings.Builder sb.WriteString("--- HTTP REQUEST ---\n") - sb.Write(dump) + sb.WriteString(redactSensitiveHeaders(dump)) sb.WriteString("--------------------\n") gologger.Debug().MsgFunc(sb.String) } @@ -286,7 +286,7 @@ func ensureVulnxClientInitialized(_ *cobra.Command) error { if err == nil { var sb strings.Builder sb.WriteString("--- HTTP RESPONSE ---\n") - sb.Write(dump) + sb.WriteString(redactSensitiveHeaders(dump)) sb.WriteString("---------------------\n") gologger.Debug().MsgFunc(sb.String) } @@ -1043,3 +1043,10 @@ func GetUpdateCallback() func() { updateutils.GetUpdateToolCallback("vulnx", Version)() } } + +// redactSensitiveHeaders masks credential headers (e.g. the API key) in an +// HTTP dump so secrets are not leaked into debug output / CI logs. +func redactSensitiveHeaders(dump []byte) string { + re := regexp.MustCompile(`(?i)(X-PDCP-Key:\s*).*`) + return re.ReplaceAllString(string(dump), "${1}[REDACTED]") +} From 9f7609f5804f3b67067faf6e84de13a72da3b9c4 Mon Sep 17 00:00:00 2001 From: Muhammed Mirac Kayikci <134744464+mirackayikci@users.noreply.github.com> Date: Wed, 17 Jun 2026 20:21:35 +0300 Subject: [PATCH 2/5] Redact X-PDCP-Key in service-layer debug request dump Added a function to redact sensitive headers from HTTP dumps to prevent leaking credentials. --- pkg/service/vulnx.go | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/pkg/service/vulnx.go b/pkg/service/vulnx.go index 95e1870..39902bf 100644 --- a/pkg/service/vulnx.go +++ b/pkg/service/vulnx.go @@ -7,6 +7,7 @@ import ( "net/http" "net/url" "strings" + "regexp" "github.com/projectdiscovery/vulnx/v2/pkg/types" "github.com/projectdiscovery/gologger" @@ -205,7 +206,7 @@ func (c *Vulnx) doRequest(req *retryablehttp.Request) (*http.Response, error) { if err != nil { gologger.Fatal().Msgf("Error dumping request: %s\n", err) } - gologger.Print().Msgf("%s\n", string(dump)) + gologger.Print().Msgf("%s\n", redactSensitiveHeaders(dump)) } resp, err := c.client.Do(req) @@ -223,3 +224,10 @@ func (c *Vulnx) doRequest(req *retryablehttp.Request) (*http.Response, error) { } return resp, err } + +// redactSensitiveHeaders masks credential headers (e.g. the API key) in an +// HTTP dump so secrets are not leaked into debug output. +func redactSensitiveHeaders(dump []byte) string { + re := regexp.MustCompile(`(?i)(X-PDCP-Key:\s*).*`) + return re.ReplaceAllString(string(dump), "${1}[REDACTED]") +} From e418e67daa1e1db62c9f0230b6267fea725055a0 Mon Sep 17 00:00:00 2001 From: Muhammed Mirac Kayikci <134744464+mirackayikci@users.noreply.github.com> Date: Wed, 17 Jun 2026 20:31:00 +0300 Subject: [PATCH 3/5] Change log level from Print to Debug for request dump --- pkg/service/vulnx.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/service/vulnx.go b/pkg/service/vulnx.go index 39902bf..d961816 100644 --- a/pkg/service/vulnx.go +++ b/pkg/service/vulnx.go @@ -206,7 +206,7 @@ func (c *Vulnx) doRequest(req *retryablehttp.Request) (*http.Response, error) { if err != nil { gologger.Fatal().Msgf("Error dumping request: %s\n", err) } - gologger.Print().Msgf("%s\n", redactSensitiveHeaders(dump)) + gologger.Debug().Msgf("%s\n", redactSensitiveHeaders(dump)) } resp, err := c.client.Do(req) From c50872cdaa6d3183e38e304414da324ce8297059 Mon Sep 17 00:00:00 2001 From: Muhammed Mirac Kayikci <134744464+mirackayikci@users.noreply.github.com> Date: Fri, 19 Jun 2026 01:46:05 +0300 Subject: [PATCH 4/5] Update regex to use xPDCPHeaderKey constant --- pkg/service/vulnx.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/service/vulnx.go b/pkg/service/vulnx.go index d961816..548ea9f 100644 --- a/pkg/service/vulnx.go +++ b/pkg/service/vulnx.go @@ -228,6 +228,6 @@ func (c *Vulnx) doRequest(req *retryablehttp.Request) (*http.Response, error) { // redactSensitiveHeaders masks credential headers (e.g. the API key) in an // HTTP dump so secrets are not leaked into debug output. func redactSensitiveHeaders(dump []byte) string { - re := regexp.MustCompile(`(?i)(X-PDCP-Key:\s*).*`) + re := regexp.MustCompile(`(?i)(` + regexp.QuoteMeta(xPDCPHeaderKey) + `:\s*).*`) return re.ReplaceAllString(string(dump), "${1}[REDACTED]") } From 5a4ed0f4beff74219ed00d72fd3c67c48e59c00e Mon Sep 17 00:00:00 2001 From: Muhammed Mirac Kayikci <134744464+mirackayikci@users.noreply.github.com> Date: Wed, 24 Jun 2026 23:53:37 +0300 Subject: [PATCH 5/5] Refactor redactSensitiveHeaders to use a single regex --- cmd/vulnx/clis/common.go | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/cmd/vulnx/clis/common.go b/cmd/vulnx/clis/common.go index c091a23..7665a5c 100644 --- a/cmd/vulnx/clis/common.go +++ b/cmd/vulnx/clis/common.go @@ -1044,9 +1044,8 @@ func GetUpdateCallback() func() { } } -// redactSensitiveHeaders masks credential headers (e.g. the API key) in an -// HTTP dump so secrets are not leaked into debug output / CI logs. +var sensitiveHeaderRe = regexp.MustCompile(`(?i)(X-Api-Key:\s*).*`) + func redactSensitiveHeaders(dump []byte) string { - re := regexp.MustCompile(`(?i)(X-PDCP-Key:\s*).*`) - return re.ReplaceAllString(string(dump), "${1}[REDACTED]") + return sensitiveHeaderRe.ReplaceAllString(string(dump), "${1}[REDACTED]") }