fix(sanitize.util.ts): add recursive sanitization for nested metadata

yau-wd · yau-wd · commit 4f9d0e408fc4 · 2026-03-24T17:17:54.000+08:00
diff --git a/packages/server/src/utils/sanitize.util.test.ts b/packages/server/src/utils/sanitize.util.test.ts
@@ -495,6 +495,52 @@ describe('Sanitization Utilities', () => {
             const input = { userAgent: 'Moz\u0000illa/5.0' }
             expect(sanitizeAuditMetadata(input)).toEqual({ userAgent: 'Mozilla/5.0' })
         })
+
+        it('should recursively sanitize nested objects with sensitive keys', () => {
+            const input = {
+                configuration: {
+                    apiKey: 'secret-key-123',
+                    timeout: 30
+                },
+                settings: {
+                    password: 'mypassword'
+                }
+            }
+
+            expect(sanitizeAuditMetadata(input)).toEqual({
+                configuration: {
+                    apiKey: '********',
+                    timeout: 30
+                },
+                settings: {
+                    password: '********'
+                }
+            })
+        })
+
+        it('should sanitize arrays when key name is not sensitive', () => {
+            const input = {
+                items: [{ apiKey: 'secret1' }, { apiKey: 'secret2' }],
+                ports: [8080, 3000]
+            }
+
+            expect(sanitizeAuditMetadata(input)).toEqual({
+                items: [{ apiKey: '********' }, { apiKey: '********' }],
+                ports: [8080, 3000]
+            })
+        })
+
+        it('should redact entire value when key itself is sensitive, even if it is an array', () => {
+            const input = {
+                tokens: ['token1', 'token2'],
+                passwords: ['pass1', 'pass2']
+            }
+
+            expect(sanitizeAuditMetadata(input)).toEqual({
+                tokens: '********',
+                passwords: '********'
+            })
+        })
     })
 
     describe('Integration scenarios', () => {
diff --git a/packages/server/src/utils/sanitize.util.ts b/packages/server/src/utils/sanitize.util.ts
@@ -144,14 +144,32 @@ export function sanitizeAuditMetadata(metadata: Record<string, any> | undefined
         'cvv'
     ]
 
-    const sanitized: Record<string, any> = { ...metadata }
-
-    for (const key of Object.keys(sanitized)) {
+    function sanitizeValue(value: any, key: string): any {
         const lowerKey = key.toLowerCase()
-        if (sensitiveFields.some((field) => lowerKey.includes(field))) {
-            sanitized[key] = '********'
+        const isSensitive = sensitiveFields.some((field) => lowerKey.includes(field))
+
+        if (isSensitive) {
+            return '********'
+        }
+
+        if (value && typeof value === 'object' && !Array.isArray(value)) {
+            return sanitizeObject(value)
+        }
+
+        if (Array.isArray(value)) {
+            return value.map((item, index) => sanitizeValue(item, `${key}[${index}]`))
+        }
+
+        return value
+    }
+
+    function sanitizeObject(obj: Record<string, any>): Record<string, any> {
+        const result: Record<string, any> = {}
+        for (const key of Object.keys(obj)) {
+            result[key] = sanitizeValue(obj[key], key)
         }
+        return result
     }
 
-    return sanitizeNullBytes(sanitized)
+    return sanitizeNullBytes(sanitizeObject(metadata))
 }
