From: Justin Wind Date: Fri, 5 Nov 2021 00:53:22 +0000 (-0700) Subject: Merge branch 'v1.3-dev' as v1.3.1 X-Git-Tag: v1.3.1 X-Git-Url: http://git.squeep.com/?p=websub-hub;a=commitdiff_plain;h=3b791da2fe22568f567d4796895f223cdf212b9a;hp=afc5da271215282fa723e79a12562d3b86734326 Merge branch 'v1.3-dev' as v1.3.1 --- diff --git a/README.md b/README.md index 20f61e0..31e921e 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,7 @@ One way of deploying this server is behind nginx, with the pm2 package to manage > 'use strict'; > // Minimum required configuration settings > module.exports = { + > encryptionSecret: 'this is a secret passphrase, it is pretty important to be unguessable', > dingus: { > selfBaseUrl: 'https://hub.squeep.com/', > }, diff --git a/package-lock.json b/package-lock.json index 36a1d58..b7b0528 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,6 +1,6 @@ { "name": "@squeep/websub-hub", - "version": "1.3.0", + "version": "1.3.1", "lockfileVersion": 1, "requires": true, "dependencies": { @@ -509,9 +509,9 @@ } }, "@sinonjs/fake-timers": { - "version": "7.1.2", - "resolved": "https://registry.npmjs.org/@sinonjs/fake-timers/-/fake-timers-7.1.2.tgz", - "integrity": "sha512-iQADsW4LBMISqZ6Ci1dupJL9pprqwcVFTcOsEmQOEhW+KLCVn/Y4Jrvg2k19fIHCp+iFprriYPTdRcQR8NbUPg==", + "version": "8.1.0", + "resolved": "https://registry.npmjs.org/@sinonjs/fake-timers/-/fake-timers-8.1.0.tgz", + "integrity": "sha512-OAPJUAtgeINhh/TAlUID4QTs53Njm7xzddaVlEs/SXwgtiD1tW22zAB/W1wdqfrpmikgaWQ9Fw6Ws+hsiRm5Vg==", "dev": true, "requires": { "@sinonjs/commons": "^1.7.0" @@ -535,8 +535,8 @@ "dev": true }, "@squeep/api-dingus": { - "version": "git+https://git.squeep.com/squeep-api-dingus/#3cf325b9e87b66e16f05c9bcae769eea72b207ed", - "from": "git+https://git.squeep.com/squeep-api-dingus/#v1.2.1", + "version": "git+https://git.squeep.com/squeep-api-dingus/#47f38ca4c67e902ccef0b7114a0d144f476258bd", + "from": "git+https://git.squeep.com/squeep-api-dingus/#v1.2.2", "requires": { "mime-db": "^1.50.0", "uuid": "^8.3.2" @@ -735,9 +735,9 @@ "optional": true }, "axios": { - "version": "0.23.0", - "resolved": "https://registry.npmjs.org/axios/-/axios-0.23.0.tgz", - "integrity": "sha512-NmvAE4i0YAv5cKq8zlDoPd1VLKAqX5oLuZKs8xkJa4qi6RGn0uhCYFjWtHHC9EM/MwOwYWOs53W+V0aqEXq1sg==", + "version": "0.24.0", + "resolved": "https://registry.npmjs.org/axios/-/axios-0.24.0.tgz", + "integrity": "sha512-Q6cWsys88HoPgAaFAVUb0WpPk0O8iTeisR9IMqy9G8AbO4NlpVknrnQS03zzF9PGAWgO3cgletO3VjV/P7VztA==", "requires": { "follow-redirects": "^1.14.4" } @@ -754,14 +754,14 @@ "optional": true }, "better-sqlite3": { - "version": "7.4.3", - "resolved": "https://registry.npmjs.org/better-sqlite3/-/better-sqlite3-7.4.3.tgz", - "integrity": "sha512-07bKjClZg/f4KMVRkzWtoIvazVPcF1gsvVKVIXlxwleC2DxuIhnra3KCMlUT1rFeRYXXckot2a46UciF2d9KLw==", + "version": "7.4.4", + "resolved": "https://registry.npmjs.org/better-sqlite3/-/better-sqlite3-7.4.4.tgz", + "integrity": "sha512-CnK1JjchxbEumd2J6lqfzSG5nT4B/v+J9P0AKSm3NHSfcPsEGE4rHUp9lDlslJ1TL701RM7GWlTp3Pbacpn1/Q==", "optional": true, "requires": { "bindings": "^1.5.0", - "prebuild-install": "^6.0.1", - "tar": "^6.1.0" + "prebuild-install": "^6.1.4", + "tar": "^6.1.11" } }, "binary-extensions": { @@ -2390,12 +2390,23 @@ "@sinonjs/text-encoding": "^0.7.1", "just-extend": "^4.0.2", "path-to-regexp": "^1.7.0" + }, + "dependencies": { + "@sinonjs/fake-timers": { + "version": "7.1.2", + "resolved": "https://registry.npmjs.org/@sinonjs/fake-timers/-/fake-timers-7.1.2.tgz", + "integrity": "sha512-iQADsW4LBMISqZ6Ci1dupJL9pprqwcVFTcOsEmQOEhW+KLCVn/Y4Jrvg2k19fIHCp+iFprriYPTdRcQR8NbUPg==", + "dev": true, + "requires": { + "@sinonjs/commons": "^1.7.0" + } + } } }, "node-abi": { - "version": "2.30.0", - "resolved": "https://registry.npmjs.org/node-abi/-/node-abi-2.30.0.tgz", - "integrity": "sha512-g6bZh3YCKQRdwuO/tSZZYJAw622SjsRfJ2X0Iy4sSOHZ34/sPPdVBn8fev2tj7njzLwuqPw9uMtGsGkO5kIQvg==", + "version": "2.30.1", + "resolved": "https://registry.npmjs.org/node-abi/-/node-abi-2.30.1.tgz", + "integrity": "sha512-/2D0wOQPgaUWzVSVgRMx+trKJRC2UG4SUc4oCJoXx9Uxjtp0Vy3/kt7zcbxHF8+Z/pK3UloLWzBISg72brfy1w==", "optional": true, "requires": { "semver": "^5.4.1" @@ -3161,9 +3172,9 @@ } }, "prebuild-install": { - "version": "6.1.3", - "resolved": "https://registry.npmjs.org/prebuild-install/-/prebuild-install-6.1.3.tgz", - "integrity": "sha512-iqqSR84tNYQUQHRXalSKdIaM8Ov1QxOVuBNWI7+BzZWv6Ih9k75wOnH1rGQ9WWTaaLkTpxWKIciOF0KyfM74+Q==", + "version": "6.1.4", + "resolved": "https://registry.npmjs.org/prebuild-install/-/prebuild-install-6.1.4.tgz", + "integrity": "sha512-Z4vpywnK1lBg+zdPCVCsKq0xO66eEV9rWo2zrROGGiRS4JtueBOdlB1FnY8lcy7JsUud/Q3ijUxyWN26Ika0vQ==", "optional": true, "requires": { "detect-libc": "^1.0.3", @@ -3430,13 +3441,13 @@ } }, "sinon": { - "version": "11.1.2", - "resolved": "https://registry.npmjs.org/sinon/-/sinon-11.1.2.tgz", - "integrity": "sha512-59237HChms4kg7/sXhiRcUzdSkKuydDeTiamT/jesUVHshBgL8XAmhgFo0GfK6RruMDM/iRSij1EybmMog9cJw==", + "version": "12.0.1", + "resolved": "https://registry.npmjs.org/sinon/-/sinon-12.0.1.tgz", + "integrity": "sha512-iGu29Xhym33ydkAT+aNQFBINakjq69kKO6ByPvTsm3yyIACfyQttRTP03aBP/I8GfhFmLzrnKwNNkr0ORb1udg==", "dev": true, "requires": { "@sinonjs/commons": "^1.8.3", - "@sinonjs/fake-timers": "^7.1.2", + "@sinonjs/fake-timers": "^8.1.0", "@sinonjs/samsam": "^6.0.2", "diff": "^5.0.0", "nise": "^5.1.0", diff --git a/package.json b/package.json index 8f38d85..8d71ea7 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@squeep/websub-hub", - "version": "1.3.0", + "version": "1.3.1", "description": "A WebSub Hub server implementation.", "main": "server.js", "scripts": { @@ -32,18 +32,18 @@ "coverage-check" ], "dependencies": { - "@squeep/api-dingus": "git+https://git.squeep.com/squeep-api-dingus/#v1.2.1", + "@squeep/api-dingus": "git+https://git.squeep.com/squeep-api-dingus/#v1.2.2", "@squeep/indieauth-helper": "git+https://git.squeep.com/squeep-indieauth-helper/#v1.0.0", "@squeep/mystery-box": "git+https://git.squeep.com/squeep-mystery-box/#v1.0.1", "@squeep/web-linking": "git+https://git.squeep.com/squeep-web-linking/#v1.0.1", - "axios": "^0.23.0", + "axios": "^0.24.0", "feedparser": "^2.2.10", "htmlparser2": "^7.1.2", "iconv": "^3.0.1" }, "optionalDependencies": { "argon2": "^0.28.2", - "better-sqlite3": "^7.4.3", + "better-sqlite3": "^7.4.4", "node-linux-pam": "^0.2.1", "pg-promise": "^10.11.1" }, @@ -56,6 +56,6 @@ "mocha-steps": "^1.3.0", "nyc": "^15.1.0", "pre-commit": "^1.2.2", - "sinon": "^11.1.2" + "sinon": "^12.0.1" } } diff --git a/src/logger.js b/src/logger.js index 934c7da..00edfb8 100644 --- a/src/logger.js +++ b/src/logger.js @@ -66,6 +66,14 @@ class Logger { } payload(level, scope, message, data, ...other) { + // Try to keep credentials out of logs. + // This approach feels sort of jank, but it's better than nothing, for now. + if (data && data.ctx && data.ctx.parsedBody && data.ctx.parsedBody.credential) { + // Create copy of data + data = JSON.parse(JSON.stringify(data)); + data.ctx.parsedBody.credential = '*'.repeat(data.ctx.parsedBody.credential.length); + } + const now = new Date(); return JSON.stringify({ nodeId: this.nodeId, diff --git a/src/service.js b/src/service.js index 1d9b8a0..a0043f7 100644 --- a/src/service.js +++ b/src/service.js @@ -181,8 +181,9 @@ class Service extends Dingus { /** - * Same as super.ingestBody, but if no body was sent, do not parse (and + * Similar to super.ingestBody, but if no body was sent, do not parse (and * thus avoid possible unsupported media type error). + * Also removes raw body from context, to simplify scrubbing sensitive data from logs. * @param {http.ClientRequest} req * @param {http.ServerResponse} res * @param {Object} ctx @@ -192,6 +193,7 @@ class Service extends Dingus { const contentType = Dingus.getRequestContentType(req); if (ctx.rawBody) { this.parseBody(contentType, ctx); + delete ctx.rawBody; } } diff --git a/test/src/logger.js b/test/src/logger.js index 2a20504..fc602aa 100644 --- a/test/src/logger.js +++ b/test/src/logger.js @@ -48,4 +48,17 @@ describe('Logger', function () { logger = new Logger(config); logger.info(); }); + + it('masks credentials', function () { + logger = new Logger(config); + logger.info('testScope', 'message', { + ctx: { + parsedBody: { + identity: 'username', + credential: 'password', + }, + }, + }); + }); + }); // Logger