add-secure-paths

debitoor · Jul 3, 2017 · 0cd3938 · 0cd3938
1 parent 80ad178
commit 0cd3938
Show file tree

Hide file tree

Showing 2 changed files with 92 additions and 4 deletions.
diff --git a/secure-log-data.js b/secure-log-data.js
@@ -12,6 +12,12 @@ const SENSITIVE = [
 	'security_token'
 ];
 
+// if the path is 'foo.bar.key' then put the following in the map:
+// key: 'foo.bar'
+const SENSATIVE_PATH = {
+	user: 'auth'
+};
+
 const TOKEN = /token=[^;]*/;
 const TOKEN_ENC = /token%3[^&]*/;
 
@@ -20,7 +26,8 @@ function sanitize(val) {
 		return;
 	} else if (
 		schemaError(this.key, this.parent && this.parent.node) ||
-		SENSITIVE.indexOf(this.key.toLowerCase()) !== -1) {
+		SENSITIVE.indexOf(this.key.toLowerCase()) !== -1 ||
+		isSensativePath(this.key, this.parent && this.parent.path) ) {
 		this.update('***');
 	} else if (TOKEN.test(val)) {
 		this.update(val.replace(TOKEN, 'token=***'));
@@ -29,6 +36,21 @@ function sanitize(val) {
 	}
 }
 
+function isSensativePath(key, path) {
+	if (!SENSATIVE_PATH[key] || !path || path.length < 1) {
+		return false;
+	}
+	const sensativePath = SENSATIVE_PATH[key];
+	let partialPath;
+	for (var i = path.length; i >= 0; i--) {
+		const previousPath = partialPath ? `${partialPath}.` : '';
+		if (`${previousPath}${path[i]}` === sensativePath) {
+			return true;
+		}
+	}
+	return false;
+}
+
 function schemaError(key, obj) {
 	return key === 'value' &&
 		obj &&
@@ -39,4 +61,4 @@ function schemaError(key, obj) {
 
 module.exports = function(data) {
 	return traverse(data).map(sanitize);
-};
+};
diff --git a/test/secure-log-data.spec.js b/test/secure-log-data.spec.js
@@ -2,7 +2,7 @@ const expect = require('chai').expect;
 const secure = require('../secure-log-data');
 
 describe('secure-data.spec.js', function() {
-	
+
 	it('should mask all x-credentials values', function() {
 		expect(secure({
 			headers: {
@@ -101,4 +101,70 @@ describe('secure-data.spec.js', function() {
 		});
 	});
 
-});
+	it('should mask all sensative paths', function() {
+		expect(secure({
+			auth: {
+				user: 'secretUserName',
+				good: 'not secret'
+			},
+			authX: {
+				user: 'not secret',
+				good: 'not secret'
+			},
+			data: {
+				auth: {
+					user: 'secretUserName',
+					good: 'not secret'
+				}
+			},
+			datas: [
+				{
+					auth: {
+						user: 'secretUserName',
+						good: 'not secret'
+					}
+				},
+				{
+					data: {
+						auth: {
+							user: 'secretUserName',
+							good: 'not secret'
+						}
+					}
+				}
+			]
+		})).to.eql({
+			auth: {
+				user: '***',
+				good: 'not secret'
+			},
+			authX: {
+				user: 'not secret',
+				good: 'not secret'
+			},
+			data: {
+				auth: {
+					user: '***',
+					good: 'not secret'
+				}
+			},
+			datas: [
+				{
+					auth: {
+						user: '***',
+						good: 'not secret'
+					}
+				},
+				{
+					data: {
+						auth: {
+							user: '***',
+							good: 'not secret'
+						}
+					}
+				}
+			]
+		});
+	});
+
+});