From: Justin Wind Date: Fri, 5 Nov 2021 00:51:20 +0000 (-0700) Subject: keep sensitive credentials out of logs X-Git-Tag: v1.3.1^2~1 X-Git-Url: https://git.squeep.com/?a=commitdiff_plain;h=f09a48a504757b8b512f7d15c938c13f63b5a637;p=websub-hub keep sensitive credentials out of logs --- diff --git a/src/logger.js b/src/logger.js index 934c7da..00edfb8 100644 --- a/src/logger.js +++ b/src/logger.js @@ -66,6 +66,14 @@ class Logger { } payload(level, scope, message, data, ...other) { + // Try to keep credentials out of logs. + // This approach feels sort of jank, but it's better than nothing, for now. + if (data && data.ctx && data.ctx.parsedBody && data.ctx.parsedBody.credential) { + // Create copy of data + data = JSON.parse(JSON.stringify(data)); + data.ctx.parsedBody.credential = '*'.repeat(data.ctx.parsedBody.credential.length); + } + const now = new Date(); return JSON.stringify({ nodeId: this.nodeId, diff --git a/src/service.js b/src/service.js index 1d9b8a0..a0043f7 100644 --- a/src/service.js +++ b/src/service.js @@ -181,8 +181,9 @@ class Service extends Dingus { /** - * Same as super.ingestBody, but if no body was sent, do not parse (and + * Similar to super.ingestBody, but if no body was sent, do not parse (and * thus avoid possible unsupported media type error). + * Also removes raw body from context, to simplify scrubbing sensitive data from logs. * @param {http.ClientRequest} req * @param {http.ServerResponse} res * @param {Object} ctx @@ -192,6 +193,7 @@ class Service extends Dingus { const contentType = Dingus.getRequestContentType(req); if (ctx.rawBody) { this.parseBody(contentType, ctx); + delete ctx.rawBody; } } diff --git a/test/src/logger.js b/test/src/logger.js index 2a20504..fc602aa 100644 --- a/test/src/logger.js +++ b/test/src/logger.js @@ -48,4 +48,17 @@ describe('Logger', function () { logger = new Logger(config); logger.info(); }); + + it('masks credentials', function () { + logger = new Logger(config); + logger.info('testScope', 'message', { + ctx: { + parsedBody: { + identity: 'username', + credential: 'password', + }, + }, + }); + }); + }); // Logger