Skip to content

Mask sensitive information when logging #1790

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
May 17, 2016
Merged

Mask sensitive information when logging #1790

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 55 additions & 0 deletions spec/FileLoggerAdapter.spec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
'use strict';

var FileLoggerAdapter = require('../src/Adapters/Logger/FileLoggerAdapter').FileLoggerAdapter;
var Parse = require('parse/node').Parse;
var request = require('request');

describe('info logs', () => {

Expand Down Expand Up @@ -45,3 +48,55 @@ describe('error logs', () => {
});
});
});

describe('verbose logs', () => {

it("mask sensitive information in _User class", (done) => {
let customConfig = Object.assign({}, defaultConfiguration, {verbose: true});
setServerConfiguration(customConfig);
createTestUser().then(() => {
let fileLoggerAdapter = new FileLoggerAdapter();
return fileLoggerAdapter.query({
from: new Date(Date.now() - 500),
size: 100,
level: 'verbose'
});
}).then((results) => {
expect(results[1].message.includes('"password": "********"')).toEqual(true);
var headers = {
'X-Parse-Application-Id': 'test',
'X-Parse-REST-API-Key': 'rest'
};
request.get({
headers: headers,
url: 'http://localhost:8378/1/login?username=test&password=moon-y'
}, (error, response, body) => {
let fileLoggerAdapter = new FileLoggerAdapter();
return fileLoggerAdapter.query({
from: new Date(Date.now() - 500),
size: 100,
level: 'verbose'
}).then((results) => {
expect(results[1].message.includes('password=********')).toEqual(true);
done();
});
});
});
});

it("should not mask information in non _User class", (done) => {
let obj = new Parse.Object('users');
obj.set('password', 'pw');
obj.save().then(() => {
let fileLoggerAdapter = new FileLoggerAdapter();
return fileLoggerAdapter.query({
from: new Date(Date.now() - 500),
size: 100,
level: 'verbose'
});
}).then((results) => {
expect(results[1].message.includes('"password": "pw"')).toEqual(true);
done();
});
});
});
36 changes: 34 additions & 2 deletions src/PromiseRouter.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
// components that external developers may be modifying.

import express from 'express';
import url from 'url';
import log from './logger';

export default class PromiseRouter {
Expand Down Expand Up @@ -154,8 +155,8 @@ export default class PromiseRouter {
function makeExpressHandler(promiseHandler) {
return function(req, res, next) {
try {
log.verbose(req.method, req.originalUrl, req.headers,
JSON.stringify(req.body, null, 2));
log.verbose(req.method, maskSensitiveUrl(req), req.headers,
JSON.stringify(maskSensitiveBody(req), null, 2));
promiseHandler(req).then((result) => {
if (!result.response && !result.location && !result.text) {
log.error('the handler did not include a "response" or a "location" field');
Expand Down Expand Up @@ -194,3 +195,34 @@ function makeExpressHandler(promiseHandler) {
}
}
}

function maskSensitiveBody(req) {
let maskBody = Object.assign({}, req.body);
let shouldMaskBody = (req.method === 'POST' && req.originalUrl.endsWith('/users')
&& !req.originalUrl.includes('classes')) ||
(req.method === 'PUT' && /users\/\w+$/.test(req.originalUrl)
&& !req.originalUrl.includes('classes')) ||
(req.originalUrl.includes('classes/_User'));
if (shouldMaskBody) {
for (let key of Object.keys(maskBody)) {
if (key == 'password') {
maskBody[key] = '********';
break;
}
}
}
return maskBody;
}

function maskSensitiveUrl(req) {
let maskUrl = req.originalUrl.toString();
let shouldMaskUrl = req.method === 'GET' && req.originalUrl.includes('/login')
&& !req.originalUrl.includes('classes');
if (shouldMaskUrl) {
let password = url.parse(req.originalUrl, true).query.password;
if (password) {
maskUrl = maskUrl.replace('password=' + password, 'password=********')
}
}
return maskUrl;
}