PII Masking regex policy does not mask sensitive information as expected #1213
Description
Please select the area the issue is related to
Area/Policies (Policies, Policy Hub, Policy Engine etc)
Please select the aspect the issue is related to
Aspect/API (API backends, definitions, contracts, interfaces, OpenAPI)
Description
The PII Masking regex policy doesn't work as expected, information that is supposed to be masked is sent to the upstream.
Steps to Reproduce
- Deploy a self-hosted gateway and a sample backend to log request details in the same network
- Deploy and API proxy pointed to the backend
- Add
PII Masking regexpolicy with the following configuration
(piiEntity: EMAIL, piiRegex: ^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+.[a-zA-Z]{2,}$) - Send a request with an email in the body (e.g. tom@gmail.com)
- notice the logs in the backend, the email will be present in the logs
- Same issue is present when a regex for phone numbers is configured.
(piiEntity: PHONE, piiRegex: ^07[0-9]{8}$)
e.g.: 0776666666
Severity Level of the Issue
Severity/Major (Important functionality is broken. Should be prioritized. Doesn't need immediate attention)
Environment Details (with versions)
Stage