Redact secrets in logArgv #511
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| /** | ||
| * Redacts a string by replacing everything except the last four characters with asterisks. | ||
| * If the string is less than 12 characters long, it is completely replaced with asterisks. | ||
| * | ||
| * @param {string} text - The string to redact. | ||
| * @returns {string} The redacted string. | ||
| */ | ||
| export function redact(text) { | ||
| if (!text) return text; | ||
|
|
||
| if (text.length < 12) { | ||
| return "*".repeat(text.length); | ||
| } | ||
|
|
||
| const lastFour = text.slice(-4); | ||
| const redactedLength = text.length - 4; | ||
| return "*".repeat(redactedLength) + lastFour; | ||
|
There was a problem hiding this comment. might be good to put some of the prefix in too as they can hint to us what type of key it is. See: https://github.com/fauna/backup-restore-frontdoor/blob/main/src/auth/constants.ts For some examples There was a problem hiding this comment. Honestly, i'd rather just do the prefix and redact all the rest. that way none of the random data is displayed. its just the envelope flag. There was a problem hiding this comment. That won't help a user figure out what secret was used if it's not something they expect (such as an expected profile or env passing secret). How about for strings larger than 16, we keep the first and last 4 and redact the middle? |
||
| } | ||
|
|
||
| /** | ||
| * Stringifies an object and redacts any keys that contain the word "secret". | ||
| * | ||
| * @param {*} obj - The object to stringify. | ||
| * @param {((key, value) => value) | null} [replacer] - A function that can be used to modify the value of each key before it is redacted. | ||
| * @param {number} [space] - The number of spaces to use for indentation. | ||
| * @returns {string} The redacted string. | ||
| */ | ||
| export function redactedStringify(obj, replacer, space) { | ||
| // If replacer is not provided, use a default function that returns the value unchanged | ||
| const resolvedReplaced = replacer ? replacer : (_key, value) => value; | ||
|
|
||
| // Now we can stringify using our redact function and the resolved replacer | ||
| return JSON.stringify( | ||
| obj, | ||
| (key, value) => { | ||
| const normalizedKey = key | ||
| .toLowerCase() | ||
| .replace(/_/g, "") | ||
| .replace(/-/g, ""); | ||
| if ( | ||
| normalizedKey.includes("secret") || | ||
| normalizedKey.includes("accountkey") | ||
| ) { | ||
| return redact(resolvedReplaced(key, value)); | ||
| } | ||
| return resolvedReplaced(key, value); | ||
| }, | ||
| space, | ||
| ); | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,79 @@ | ||
| import { expect } from "chai"; | ||
|
|
||
| import { | ||
| redact, | ||
| redactedStringify, | ||
| } from "../../../src/lib/formatting/redact.mjs"; | ||
|
|
||
| describe("redact", () => { | ||
| it("returns null/undefined values unchanged", () => { | ||
| expect(redact(null)).to.be.null; | ||
| expect(redact(undefined)).to.be.undefined; | ||
| }); | ||
|
|
||
| it("completely redacts strings shorter than 12 characters", () => { | ||
| expect(redact("short")).to.equal("*****"); | ||
| expect(redact("mediumtext")).to.equal("**********"); | ||
| }); | ||
|
|
||
| it("keeps last 4 characters for strings 12 or more characters", () => { | ||
| expect(redact("thisislongtext")).to.equal("**********text"); | ||
| expect(redact("123456789012")).to.equal("********9012"); | ||
| }); | ||
| }); | ||
|
|
||
| describe("redactedStringify", () => { | ||
| it("redacts keys containing 'secret'", () => { | ||
| const obj = { | ||
| normal: "visible", | ||
| secret: "hide-me", | ||
| mySecret: "hide-this-too", | ||
| secret_key: "also-hidden", | ||
| }; | ||
| const result = JSON.parse(redactedStringify(obj)); | ||
|
|
||
| expect(result.normal).to.equal("visible"); | ||
| expect(result.secret).to.equal("*******"); | ||
| expect(result.mySecret).to.equal("*********-too"); | ||
| expect(result.secret_key).to.equal("***********"); | ||
| }); | ||
|
|
||
| it("redacts keys containing 'accountkey'", () => { | ||
| const obj = { | ||
| accountkey: "secret", | ||
| account_key: "1234567901234", | ||
| myaccountkey: "1234567901234", | ||
| }; | ||
| const result = JSON.parse(redactedStringify(obj)); | ||
|
|
||
| expect(result.accountkey).to.equal("******"); | ||
| expect(result.account_key).to.equal("*********1234"); | ||
| expect(result.myaccountkey).to.equal("*********1234"); | ||
| }); | ||
|
|
||
| it("respects custom replacer function", () => { | ||
| const obj = { | ||
| secret: "hide-me", | ||
| normal: "show-me", | ||
| }; | ||
| const replacer = (key, value) => | ||
| key === "normal" ? value.toUpperCase() : value; | ||
|
|
||
| const result = JSON.parse(redactedStringify(obj, replacer)); | ||
|
|
||
| expect(result.secret).to.equal("*******"); | ||
| expect(result.normal).to.equal("SHOW-ME"); | ||
| }); | ||
|
|
||
| it("respects space parameter for formatting", () => { | ||
| const obj = { normal: "visible", secret: "hide-me" }; | ||
| const formatted = redactedStringify(obj, null, 2); | ||
|
|
||
| expect(formatted).to.include("\n"); | ||
| expect(formatted).to.include(" "); | ||
| expect(JSON.parse(formatted)).to.deep.equal({ | ||
| normal: "visible", | ||
| secret: "*******", | ||
| }); | ||
| }); | ||
| }); |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what is twelve based on? Is there some sort of algorithmic guarantee that 8 couldn't be brute force guessed?
I'd imagine there's some entropy number for that you could find on OWASP
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Was based on https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#implement-proper-password-strength-controls
Figured it's effectively equivalent for this exercise.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perfect. What i was looking for.