Skip to content

fix: credit card regex false-positives on numeric IDs and timestamps #29

Description

@byapparov

Context

The credit card pattern /\b(?:\d[ -]*?){13,16}\b/g in src/middleware/redactor.ts:44 matches any run of 13-16 digits with optional spaces/dashes. This false-positives on:

  • Snowflake IDs (1709298000000)
  • Unix timestamps in milliseconds
  • Database primary keys > 13 digits
  • Numeric version strings with separators

Location: src/middleware/redactor.ts, line 44

Impact

Legitimate numeric content in model responses gets redacted and rehydration fails (no token was stored for false-positive matches), corrupting the response.

Proposal

Apply Luhn algorithm validation before redacting, or use tighter patterns requiring standard card groupings: 4-4-4-4, 4-6-5, etc.

Priority

High — pre-existing issue, not introduced by PR #23.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions