feat: redact secrets and keys from logs

jakowenko · Aug 7, 2021 · 0f3ef02 · 0f3ef02
1 parent 9bcf8fa
commit 0f3ef02
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 1 deletion.
diff --git a/api/package-lock.json b/api/package-lock.json
diff --git a/api/package.json b/api/package.json
@@ -34,6 +34,7 @@
     "multer": "^1.4.2",
     "node-schedule": "^2.0.0",
     "sharp": "^0.28.3",
+    "traverse": "^0.6.6",
     "uuid": "^8.3.2",
     "winston": "^3.3.3"
   }

diff --git a/api/src/util/logger.util.js b/api/src/util/logger.util.js
@@ -2,11 +2,12 @@ const { createLogger, format, transports } = require('winston');
 const util = require('util');
 const { core: SYSTEM_CORE } = require('../constants/system');
 const mqtt = require('./mqtt.util');
+const redact = require('./redact-secrets.util');
 
 const combineMessageAndSplat = () => {
   return {
     transform: (info /* , opts */) => {
-      info.message = util.format(info.message, ...(info[Symbol.for('splat')] || []));
+      info.message = util.format(redact(info.message), ...redact(info[Symbol.for('splat')] || []));
       return info;
     },
   };

diff --git a/api/src/util/redact-secrets.util.js b/api/src/util/redact-secrets.util.js
@@ -0,0 +1,27 @@
+const traverse = require('traverse');
+
+const KEYS = [
+  // generic
+  /passw(or)?d/i,
+  /key/,
+  /^pw$/,
+  /^pass$/i,
+  /secret/i,
+  /token/i,
+  /api[-._]?key/i,
+  /session[-._]?id/i,
+  // specific
+  /^connect\.sid$/, // https://github.com/expressjs/session
+];
+
+const key = (str) =>
+  KEYS.some((regex) => {
+    return regex.test(str);
+  });
+
+module.exports = (obj, value = '********') => {
+  // eslint-disable-next-line array-callback-return
+  return traverse(obj).map(function redact(/* val */) {
+    if (key(this.key)) this.update(value);
+  });
+};