Move password masking out of logging clients where possible (#2762)

Move password masking functionality into LoggerController. The is a more aggresive approach to masking password string in the logs. Cleaning the url is still in the PromiseRouter because picking it out of the log string would be fragile. This will cause more log messages to be scanned for password strings, and may cause a password string to be obsfucated that is not neccesarily part of parse internals -- but i think that is still a good thing.... see: #2755 & #2680
2016-09-22 12:05:54 -07:00
parent ad707457be
commit a41cbcbc7f
5 changed files with 50 additions and 53 deletions
--- a/src/Controllers/LoggerController.js
+++ b/src/Controllers/LoggerController.js
@@ -2,6 +2,7 @@ import { Parse } from 'parse/node';
 import PromiseRouter from '../PromiseRouter';
 import AdaptableController from './AdaptableController';
 import { LoggerAdapter } from '../Adapters/Logger/LoggerAdapter';
+import url from 'url';

 const MILLISECONDS_IN_A_DAY = 24 * 60 * 60 * 1000;
 const LOG_STRING_TRUNCATE_LENGTH = 1000;
@@ -19,8 +20,48 @@ export const LogOrder = {

 export class LoggerController extends AdaptableController {

+  maskSensitiveUrl(urlString) {
+    const password = url.parse(urlString, true).query.password;
+
+    if (password) {
+      urlString = urlString.replace('password=' + password, 'password=********');
+    }
+    return urlString;
+  }
+
+  maskSensitive(argArray) {
+    return argArray.map(e => {
+      if (!e) {
+        return e;
+      }
+
+      if (typeof e === 'string') {
+        return e.replace(/(password".?:.?")[^"]*"/g, '$1********"');
+      }
+      // else it is an object...
+
+      // check the url
+      if (e.url) {
+        e.url = this.maskSensitiveUrl(e.url);
+      }
+
+      if (e.body) {
+        for (let key of Object.keys(e.body)) {
+          if (key === 'password') {
+            e.body[key] = '********';
+            break;
+          }
+        }
+      }
+
+      return e;
+    });
+  }
+
  log(level, args) {
-    args = [].concat(level, [...args]);
+    // make the passed in arguments object an array with the spread operator
+    args = this.maskSensitive([...args]);
+    args = [].concat(level, args);
    this.adapter.log.apply(this.adapter, args);
  }

@@ -61,14 +102,6 @@ export class LoggerController extends AdaptableController {
    return null;
  }

-  cleanAndTruncateLogMessage(string) {
-    return this.truncateLogMessage(this.cleanLogMessage(string));
-  }
-
-  cleanLogMessage(string) {
-    return string.replace(/password":"[^"]*"/g, 'password":"********"');
-  }
-
  truncateLogMessage(string) {
    if (string && string.length > LOG_STRING_TRUNCATE_LENGTH) {
      const truncated = string.substring(0, LOG_STRING_TRUNCATE_LENGTH) + truncationMarker;