The golden fixture suite lives inDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/facunemi/evidence-sanitizer/llms.txt
Use this file to discover all available pages before exploring further.
tests/fixtures/golden/ and is the primary end-to-end test harness for Evidence Sanitizer. Each fixture is a pair of plain-text files — a .input.txt file containing raw, unsanitized evidence, and a matching .expected.txt file containing the exact sanitized output that sanitize_text() must produce. Every fixture uses only synthetic values and reserved domains (example.test, api.example.test, mobile.example.test, callback.example.test) so nothing real is embedded in the repository. Together they document realistic before-and-after behavior and serve as regression guards: any code change that shifts the output of a fixture causes the test to fail immediately.
All secret values in these fixtures are synthetic placeholders (e.g.
synthetic-bearer-token, synthetic-session-cookie). They exist solely to make the expected transformation readable and unambiguous — they are not real credentials.Running the Fixture Tests
.expected.txt file exactly, the SanitizationReport rule counts match hardcoded expected counts, and re-running sanitize_text() on the output is fully idempotent (no further changes, no rules triggered).
Fixture 1 — http_request_mixed
A realistic raw HTTP GET request carrying credentials in multiple places simultaneously: a Bearer token in Authorization, a sensitive API key in both a query parameter and an X-API-Key header, additional secret query parameters, and a multi-value Cookie header.
Rules triggered: authorization.bearer ×1, query.secret ×3, header.secret ×1, cookie.value ×3
- Input
- Output
authorization.bearer rule replaces the credential after Bearer. The query.secret rule fires on access_token, sig, and api_key — all three are on the approved sensitive name list — while theme is not sensitive and is left unchanged. The header.secret rule fires on X-API-Key. The cookie.value rule parses the Cookie header semicolon-by-semicolon: session, _ga, and unknown are all classified as sensitive, while theme is an approved non-sensitive name and stays verbatim.
Fixture 2 — burp_repeater_like
A proxy/repeater-style POST request as it might appear when copied out of Burp Suite. Demonstrates Authorization: Basic, a single-value Cookie that contains a raw malformed entry (no = sign), and a folded Cookie header that is intentionally left unchanged by design.
Rules triggered: authorization.basic ×1, query.secret ×1, header.secret ×1, cookie.header ×1
- Input
- Output
Authorization: Basic triggers the authorization.basic rule. signature in the query string triggers query.secret. X-CSRF-Token is on the sensitive header name list and triggers header.secret. The first Cookie header contains malformed-raw (no = sign), which causes the safe cookie parser to fall back to the whole-header cookie.header rule, replacing the entire value rather than individual cookie values. The second Cookie line has a tab-indented continuation (a folded header) — this is an explicitly out-of-scope pattern documented in Limitations, so it is left untouched. Set-Cookie is also out of scope and is left unchanged.
Fixture 3 — api_log_mixed
A line-oriented API gateway log excerpt. Demonstrates that authorization headers and sensitive query parameters are matched anywhere in a line, not just in HTTP-style request blocks, and that a non-Bearer/Basic Authorization scheme (Signature) triggers authorization.other.
Rules triggered: authorization.other ×1, query.secret ×2
- Input
- Output
x-amz-signature is on the sensitive query parameter name list and triggers query.secret. access_token_expires and timestamp are not sensitive names and remain. api_key triggers query.secret. signature_algorithm is not on the approved list (it is a configuration value, not a secret) and remains. The Signature scheme in Authorization is syntactically valid but not Bearer or Basic, so it triggers authorization.other and the marker becomes <REDACTED:authorization.credentials>.
Fixture 4 — json_api_body_mixed
A POST request with a JSON body containing multiple sensitive field names alongside non-sensitive ones. Also demonstrates that a broader Authorization: Bearer finding takes precedence — the token in the header is covered by authorization.bearer, while the JSON body values are covered by json.value.
Rules triggered: authorization.bearer ×1, json.value ×6
- Input
- Output
access_token, refresh_token, id_token, client_secret, password, and api_key are all on the approved JSON sensitive field name list, each triggering json.value. token_type, user_id, and theme are not on the list and remain as-is. Only direct string-to-string pairs are matched; numbers, booleans, null, arrays, and objects are left unchanged even if their keys match a sensitive name.
Fixture 5 — form_urlencoded_body_mixed
Two POST requests with application/x-www-form-urlencoded bodies. Demonstrates approved vs. deferred field handling, an embedded URL in a redirect_uri value that contains a sensitive query parameter, and a second request where the form value itself looks like a URL with secret query parameters.
Rules triggered: authorization.bearer ×1, form.value ×10, query.secret ×1
- Input
- Output
Content-Type: application/x-www-form-urlencoded header followed by a blank separator line. Only the immediate first physical line after the separator is scanned — multi-line or wrapped form bodies are not supported. The deferred fields grant_type, username, scope, code, state, and nonce are intentionally not redacted. access%5Ftoken has a percent-encoded name; no percent-decoding is performed, so this field name does not match the approved list and its value stays. The access_token inside redirect_uri is a nested URL query parameter — the form scanner leaves it for the query scanner, which correctly fires query.secret on it. In the second request, token and sig are both on the form sensitive name list, each triggering form.value.
Additional Fixtures
The following fixtures also exist intests/fixtures/golden/ and are exercised by the same parameterized test. Refer to the fixture files directly for their full content.
mobile_api_trace_like — Mobile/debug trace
mobile_api_trace_like — Mobile/debug trace
A mobile API trace header block for
mobile.example.test, demonstrating Authorization: Bearer, X-Auth-Token (sensitive header), a Cookie with both sensitive and non-sensitive values, and a single sensitive query parameter.Rules triggered: authorization.bearer ×1, query.secret ×1, header.secret ×1, cookie.value ×3Notable detail: device=pixel7 is a cookie name classified as sensitive (device identifiers are treated as sensitive by the cookie classifier), so it is redacted to device=<REDACTED:cookie.value>. X-Request-ID is not on the sensitive header list and is left unchanged.report_note_mixed — Human-written assessment notes
report_note_mixed — Human-written assessment notes
A prose note block as a pentest report author might write it, mixing free-form sentences with embedded HTTP snippets. Demonstrates that rules fire anywhere in the file regardless of surrounding context: a
Bearer token in an Authorization header inside a prose block, X-API-Key in that same snippet, and token, sig, and signature query parameters in a URL on a prose line.Rules triggered: authorization.bearer ×1, query.secret ×2, header.secret ×1Notable detail: code and state query parameters in the URL are not on the sensitive name list and remain unchanged. Pre-existing <REDACTED:cookie.value> markers in the input (already redacted before this run) are correctly preserved and do not trigger any additional rules, demonstrating idempotence of existing markers.edge_cases_markers_and_malformed_cookie — Idempotence and fallback
edge_cases_markers_and_malformed_cookie — Idempotence and fallback
proxy_authorization_mixed — Proxy-Authorization rule family
proxy_authorization_mixed — Proxy-Authorization rule family