In software development, especially during testing phases, the risk of leaking Personally Identifiable Information (PII) can become a significant security concern. In environments where data privacy is paramount, even test data containing sensitive information must be shielded effectively. This challenge becomes even more complex within constrained budgets, often limiting the ability to deploy costly solutions or dedicated compliance tools.
Fortunately, secure and effective measures can be implemented using TypeScript, leveraging its type safety and ease of automation. This blog explores how a security researcher, working with zero budget, can address the problem of leaking PII in test environments by implementing lightweight masking and validation strategies.
Understanding the Problem
PII leaks often occur when real user data is used in testing without proper anonymization, or when logs and test outputs inadvertently contain sensitive fields. Typical PII data include names, email addresses, phone numbers, addresses, and social security numbers.
The goal: Create an automated layer in your test pipeline that detects, masks, or removes PII before data is stored, logged, or transmitted in testing environments.
Approach Using TypeScript
Since TypeScript offers static typing and a flexible runtime with JavaScript, it allows us to craft an elegant, zero-cost solution focusing on data sanitization.
- Define Data Schemas with TypeScript Interfaces:
Create strict interfaces for user data, allowing compile-time checks and better control over data structures.
interface UserProfile {
id: number;
name: string;
email: string;
phone?: string;
address?: string;
}
- Implement PII Masking Functions:
Develop functions that scan data fields for PII patterns and replace them with masked variants.
function maskEmail(email: string): string {
const [localPart, domain] = email.split('@');
const maskedLocal = localPart.slice(0, 2) + '***';
return `${maskedLocal}@${domain}`;
}
function maskPhone(phone?: string): string {
if (!phone) return '';
return phone.replace(/\d{4}$/, '****'); // Mask last 4 digits
}
- Create Data Sanitization Middleware for Testing:
Wrap data creation or logging functions within a sanitization layer:
typescript
function sanitizeUser(user: UserProfile): UserProfile {
return {
...user,
name: 'REDACTED', // Alternatively, mask parts of the name
email: maskEmail(user.email),
phone: maskPhone(user.phone),
address: 'REDACTED'
};
}
// Usage in testing
const testUser: UserProfile = {
id: 123,
name: 'John Doe',
email: 'john.doe@example.com',
phone: '5551234567',
address: '123 Elm Street'
};
const sanitizedUser = sanitizeUser(testUser);
console.log(sanitizedUser);
---
### 🛠️ QA Tip
To test this safely without using real user data, I use [TempoMail USA](https://tempomailusa.com).
Top comments (0)