fix(logging-sensitive-data) Filter out logs with sensitive data.

* Fix logs from the client printing Authorization token
* Fix logic printing the full message with token and text
* Remove logging SQL queries

build.gradle.kts

@@ -2,7 +2,7 @@ plugins {
     kotlin("jvm") version "1.5.30"
     application
     distribution
-    id("net.nemerosa.versioning") version "2.14.0"
+    id("net.nemerosa.versioning") version "3.1.0"
 }
 
 group = "com.wire.bots.polls"

src/main/kotlin/com/wire/bots/polls/dto/roman/Message.kt

@@ -69,11 +69,17 @@ data class Message(
      * Type of the file
      */
     val mimeType: String?,
+
 ) {
     data class Text(
         val data: String,
         val mentions: List<Mention>?
-    )
+
+    ) {
+        override fun toString(): String {
+            return "Text(mentions=$mentions)"
+        }
+    }
 
     /**
      * Poll representation for the proxy.
@@ -97,7 +103,18 @@ data class Message(
          * Id of the button when it was clicked on.
          */
         val offset: Int?
-    )
+    ) {
+        override fun toString(): String {
+            return "PollObjectMessage(id='$id', buttons=$buttons, offset=$offset)"
+        }
+    }
+
+    /**
+     * Avoid printing out the token by mistake if object is printed.
+     */
+    override fun toString(): String {
+        return "Message(botId='$botId', userId=$userId, conversationId=$conversationId, type='$type', messageId=$messageId, text=$text, refMessageId=$refMessageId, reaction=$reaction, image=$image, handle=$handle, locale=$locale, poll=$poll, mimeType=$mimeType)"
+    }
 }
 
 /* JSON from the swagger

src/main/kotlin/com/wire/bots/polls/setup/HttpClient.kt

@@ -3,19 +3,12 @@ package com.wire.bots.polls.setup
 import com.wire.bots.polls.utils.ClientRequestMetric
 import com.wire.bots.polls.utils.createLogger
 import com.wire.bots.polls.utils.httpCall
-import io.ktor.client.HttpClient
-import io.ktor.client.engine.apache.Apache
-import io.ktor.client.features.json.JacksonSerializer
-import io.ktor.client.features.json.JsonFeature
-import io.ktor.client.features.logging.LogLevel
-import io.ktor.client.features.logging.Logger
-import io.ktor.client.features.logging.Logging
+import io.ktor.client.*
+import io.ktor.client.engine.apache.*
+import io.ktor.client.features.json.*
+import io.ktor.client.features.logging.*
 import io.micrometer.core.instrument.MeterRegistry
 
-
-/**
- * Prepares HTTP Client.
- */
 fun createHttpClient(meterRegistry: MeterRegistry) =
     HttpClient(Apache) {
         install(JsonFeature) {
@@ -32,23 +25,22 @@ fun createHttpClient(meterRegistry: MeterRegistry) =
         }
     }
 
-/**
- * Debug logger for HTTP Requests.
- */
-private val Logger.Companion.DEBUG: Logger
-    get() = object : Logger, org.slf4j.Logger by createLogger("DebugHttpClient") {
-        override fun log(message: String) {
-            debug(message)
-        }
-    }
-
-
 /**
  * Trace logger for HTTP Requests.
+ *
+ * Logs request/response bodies, params and headers.
+ * Avoids logging lines containing sensitive data
  */
 private val Logger.Companion.TRACE: Logger
     get() = object : Logger, org.slf4j.Logger by createLogger("TraceHttpClient") {
         override fun log(message: String) {
+            for (blockedWord in blockedWordList) {
+                if (message.contains(blockedWord, ignoreCase = true)) {
+                    return
+                }
+            }
             trace(message)
         }
     }
+
+private val blockedWordList = listOf("Authorization", "token", "Bearer", "text")

src/main/resources/logback.xml

@@ -27,6 +27,7 @@
 
     <logger name="org.eclipse.jetty" level="INFO"/>
     <logger name="io.netty" level="INFO"/>
+    <logger name="org.jetbrains.exposed" level="INFO"/>
 
     <logger name="com.wire" level="TRACE"/>