From 3012ae8649b292e1e2b879fab910a480484f75ef Mon Sep 17 00:00:00 2001
From: spoonman01 <lucarospocher@gmail.com>
Date: Wed, 18 Sep 2024 17:38:21 +0200
Subject: [PATCH] fix(logging-sensitive-data) Filter out logs with sensitive
 data.

* Fix logs from the client printing Authorization token
* Fix logic printing the full message with token and text
* Remove logging SQL queries
---
 build.gradle.kts                              |  2 +-
 .../com/wire/bots/polls/dto/roman/Message.kt  | 21 +++++++++--
 .../com/wire/bots/polls/setup/HttpClient.kt   | 36 ++++++++-----------
 src/main/resources/logback.xml                |  1 +
 4 files changed, 35 insertions(+), 25 deletions(-)

diff --git a/build.gradle.kts b/build.gradle.kts
index d63b606..fdd6482 100644
--- a/build.gradle.kts
+++ b/build.gradle.kts
@@ -2,7 +2,7 @@ plugins {
     kotlin("jvm") version "1.5.30"
     application
     distribution
-    id("net.nemerosa.versioning") version "2.14.0"
+    id("net.nemerosa.versioning") version "3.1.0"
 }
 
 group = "com.wire.bots.polls"
diff --git a/src/main/kotlin/com/wire/bots/polls/dto/roman/Message.kt b/src/main/kotlin/com/wire/bots/polls/dto/roman/Message.kt
index daa9e32..b93b0e7 100644
--- a/src/main/kotlin/com/wire/bots/polls/dto/roman/Message.kt
+++ b/src/main/kotlin/com/wire/bots/polls/dto/roman/Message.kt
@@ -69,11 +69,17 @@ data class Message(
      * Type of the file
      */
     val mimeType: String?,
+
 ) {
     data class Text(
         val data: String,
         val mentions: List<Mention>?
-    )
+
+    ) {
+        override fun toString(): String {
+            return "Text(mentions=$mentions)"
+        }
+    }
 
     /**
      * Poll representation for the proxy.
@@ -97,7 +103,18 @@ data class Message(
          * Id of the button when it was clicked on.
          */
         val offset: Int?
-    )
+    ) {
+        override fun toString(): String {
+            return "PollObjectMessage(id='$id', buttons=$buttons, offset=$offset)"
+        }
+    }
+
+    /**
+     * Avoid printing out the token by mistake if object is printed.
+     */
+    override fun toString(): String {
+        return "Message(botId='$botId', userId=$userId, conversationId=$conversationId, type='$type', messageId=$messageId, text=$text, refMessageId=$refMessageId, reaction=$reaction, image=$image, handle=$handle, locale=$locale, poll=$poll, mimeType=$mimeType)"
+    }
 }
 
 /* JSON from the swagger
diff --git a/src/main/kotlin/com/wire/bots/polls/setup/HttpClient.kt b/src/main/kotlin/com/wire/bots/polls/setup/HttpClient.kt
index 7af6d94..c1c0a7e 100644
--- a/src/main/kotlin/com/wire/bots/polls/setup/HttpClient.kt
+++ b/src/main/kotlin/com/wire/bots/polls/setup/HttpClient.kt
@@ -3,19 +3,12 @@ package com.wire.bots.polls.setup
 import com.wire.bots.polls.utils.ClientRequestMetric
 import com.wire.bots.polls.utils.createLogger
 import com.wire.bots.polls.utils.httpCall
-import io.ktor.client.HttpClient
-import io.ktor.client.engine.apache.Apache
-import io.ktor.client.features.json.JacksonSerializer
-import io.ktor.client.features.json.JsonFeature
-import io.ktor.client.features.logging.LogLevel
-import io.ktor.client.features.logging.Logger
-import io.ktor.client.features.logging.Logging
+import io.ktor.client.*
+import io.ktor.client.engine.apache.*
+import io.ktor.client.features.json.*
+import io.ktor.client.features.logging.*
 import io.micrometer.core.instrument.MeterRegistry
 
-
-/**
- * Prepares HTTP Client.
- */
 fun createHttpClient(meterRegistry: MeterRegistry) =
     HttpClient(Apache) {
         install(JsonFeature) {
@@ -32,23 +25,22 @@ fun createHttpClient(meterRegistry: MeterRegistry) =
         }
     }
 
-/**
- * Debug logger for HTTP Requests.
- */
-private val Logger.Companion.DEBUG: Logger
-    get() = object : Logger, org.slf4j.Logger by createLogger("DebugHttpClient") {
-        override fun log(message: String) {
-            debug(message)
-        }
-    }
-
-
 /**
  * Trace logger for HTTP Requests.
+ *
+ * Logs request/response bodies, params and headers.
+ * Avoids logging lines containing sensitive data
  */
 private val Logger.Companion.TRACE: Logger
     get() = object : Logger, org.slf4j.Logger by createLogger("TraceHttpClient") {
         override fun log(message: String) {
+            for (blockedWord in blockedWordList) {
+                if (message.contains(blockedWord, ignoreCase = true)) {
+                    return
+                }
+            }
             trace(message)
         }
     }
+
+private val blockedWordList = listOf("Authorization", "token", "Bearer", "text")
diff --git a/src/main/resources/logback.xml b/src/main/resources/logback.xml
index 2adb7ba..1381289 100644
--- a/src/main/resources/logback.xml
+++ b/src/main/resources/logback.xml
@@ -27,6 +27,7 @@
 
     <logger name="org.eclipse.jetty" level="INFO"/>
     <logger name="io.netty" level="INFO"/>
+    <logger name="org.jetbrains.exposed" level="INFO"/>
 
     <logger name="com.wire" level="TRACE"/>