Obfuscate password name value pairs in log strings (#2755)

* Unit test to catch password in logs. * Add clean to logger controller to "look for" password strings in log messages.
2016-09-20 21:45:24 -04:00
parent 5feceaa6d6
commit ad707457be
4 changed files with 33 additions and 7 deletions
--- a/spec/CloudCodeLogger.spec.js
+++ b/spec/CloudCodeLogger.spec.js
@@ -55,6 +55,24 @@ describe("Cloud Code Logger", () => {
        });
    });

+    it('trigger should obfuscate password', done => {
+        const logController = new LoggerController(new WinstonLoggerAdapter());
+
+        Parse.Cloud.beforeSave(Parse.User, (req, res) => {
+            res.success(req.object);
+        });
+
+        Parse.User.signUp('tester123', 'abc')
+            .then(() => logController.getLogs({ from: Date.now() - 500, size: 1000 }))
+            .then((res) => {
+                const entry = res[0];
+                expect(entry.message).not.toMatch(/password":"abc/);
+                expect(entry.message).toMatch(/\*\*\*\*\*\*\*\*/);
+                done();
+            })
+            .then(null, e => done.fail(e));
+    });
+
    it("should expose log to trigger", (done) => {
        var logController = new LoggerController(new WinstonLoggerAdapter());

--- a/src/Controllers/LoggerController.js
+++ b/src/Controllers/LoggerController.js
@@ -61,6 +61,14 @@ export class LoggerController extends AdaptableController {
    return null;
  }

+  cleanAndTruncateLogMessage(string) {
+    return this.truncateLogMessage(this.cleanLogMessage(string));
+  }
+
+  cleanLogMessage(string) {
+    return string.replace(/password":"[^"]*"/g, 'password":"********"');
+  }
+
  truncateLogMessage(string) {
    if (string && string.length > LOG_STRING_TRUNCATE_LENGTH) {
      const truncated = string.substring(0, LOG_STRING_TRUNCATE_LENGTH) + truncationMarker;
--- a/src/Routers/FunctionsRouter.js
+++ b/src/Routers/FunctionsRouter.js
@@ -103,7 +103,7 @@ export class FunctionsRouter extends PromiseRouter {
    const applicationId = req.config.applicationId;
    const theFunction = triggers.getFunction(functionName, applicationId);
    const theValidator = triggers.getValidator(req.params.functionName, applicationId);
-    if (theFunction) {      
+    if (theFunction) {
      let params = Object.assign({}, req.body, req.query);
      params = parseParams(params);
      var request = {
@@ -125,10 +125,10 @@ export class FunctionsRouter extends PromiseRouter {

      return new Promise(function (resolve, reject) {
        const userString = (req.auth && req.auth.user) ? req.auth.user.id : undefined;
-        const cleanInput = logger.truncateLogMessage(JSON.stringify(params));
+        const cleanInput = logger.cleanAndTruncateLogMessage(JSON.stringify(params));
        var response = FunctionsRouter.createResponseObject((result) => {
          try {
-            const cleanResult = logger.truncateLogMessage(JSON.stringify(result.response.result));
+            const cleanResult = logger.cleanAndTruncateLogMessage(JSON.stringify(result.response.result));
            logger.info(`Ran cloud function ${functionName} for user ${userString} `
              + `with:\n  Input: ${cleanInput }\n  Result: ${cleanResult }`, {
              functionName,
--- a/src/triggers.js
+++ b/src/triggers.js
@@ -212,7 +212,7 @@ function userIdForLog(auth) {
 }

 function logTriggerAfterHook(triggerType, className, input, auth) {
-  const cleanInput = logger.truncateLogMessage(JSON.stringify(input));
+  const cleanInput = logger.cleanAndTruncateLogMessage(JSON.stringify(input));
  logger.info(`${triggerType} triggered for ${className} for user ${userIdForLog(auth)}:\n  Input: ${cleanInput}`, {
    className,
    triggerType,
@@ -221,8 +221,8 @@ function logTriggerAfterHook(triggerType, className, input, auth) {
 }

 function logTriggerSuccessBeforeHook(triggerType, className, input, result, auth) {
-  const cleanInput = logger.truncateLogMessage(JSON.stringify(input));
-  const cleanResult = logger.truncateLogMessage(JSON.stringify(result));
+  const cleanInput = logger.cleanAndTruncateLogMessage(JSON.stringify(input));
+  const cleanResult = logger.cleanAndTruncateLogMessage(JSON.stringify(result));
  logger.info(`${triggerType} triggered for ${className} for user ${userIdForLog(auth)}:\n  Input: ${cleanInput}\n  Result: ${cleanResult}`, {
    className,
    triggerType,
@@ -231,7 +231,7 @@ function logTriggerSuccessBeforeHook(triggerType, className, input, result, auth
 }

 function logTriggerErrorBeforeHook(triggerType, className, input, auth, error) {
-  const cleanInput = logger.truncateLogMessage(JSON.stringify(input));
+  const cleanInput = logger.cleanAndTruncateLogMessage(JSON.stringify(input));
  logger.error(`${triggerType} failed for ${className} for user ${userIdForLog(auth)}:\n  Input: ${cleanInput}\n  Error: ${JSON.stringify(error)}`, {
    className,
    triggerType,