Redact sensitive information

Author: bigfluffycookie

packages/server/shared/src/lib/logger/log-cleaner.ts

@@ -4,6 +4,72 @@ import { ApplicationError } from '@openops/shared';
 
 export const maxFieldLength = 2048;
 
+const REDACTED = '[REDACTED]';
+
+const SENSITIVE_FIELDS = [
+  'password',
+  'newPassword',
+  'oldPassword',
+  'currentPassword',
+  'confirmPassword',
+  'token',
+  'accessToken',
+  'refreshToken',
+  'apiKey',
+  'secret',
+  'privateKey',
+  'authorization',
+  'cookie',
+  'sessionId',
+  'passphrase',
+];
+
+const isSensitiveField = (key: string): boolean => {
+  return SENSITIVE_FIELDS.includes(key.toLowerCase());
+};
+
+const redactSensitiveFields = (obj: any): any => {
+  if (obj === null || obj === undefined) {
+    return obj;
+  }
+
+  if (Array.isArray(obj)) {
+    return obj.map((item) => redactSensitiveFields(item));
+  }
+
+  if (typeof obj !== 'object') {
+    return obj;
+  }
+
+  const redacted: any = {};
+  for (const key in obj) {
+    if (isSensitiveField(key)) {
+      redacted[key] = REDACTED;
+    } else if (typeof obj[key] === 'object' && obj[key] !== null) {
+      redacted[key] = redactSensitiveFields(obj[key]);
+    } else {
+      redacted[key] = obj[key];
+    }
+  }
+  return redacted;
+};
+
+const redactSensitiveDataInString = (
+  value: string | undefined,
+): string | undefined => {
+  if (!value) {
+    return value;
+  }
+  let result = value;
+  SENSITIVE_FIELDS.forEach((field) => {
+    result = result.replace(
+      new RegExp(`"${field}"\\s*:\\s*"[^"]*"`, 'gi'),
+      `"${field}":"${REDACTED}"`,
+    );
+  });
+  return result;
+};
+
 export const truncate = (
   value: string | undefined,
   maxLength: number = maxFieldLength,
@@ -15,7 +81,7 @@ export const truncate = (
 
 export const cleanLogEvent = (logEvent: any) => {
   if (logEvent.message) {
-    logEvent.message = truncate(logEvent.message);
+    logEvent.message = redactSensitiveDataInString(truncate(logEvent.message));
   }
 
   if (!logEvent.event) {
@@ -34,14 +100,18 @@ export const cleanLogEvent = (logEvent: any) => {
       continue;
     }
 
-    if (key === 'res' && value && value.raw) {
+    if (isSensitiveField(key)) {
+      eventData[key] = REDACTED;
+    } else if (key === 'res' && value && value.raw) {
       extractRequestFields(value, eventData, logEvent);
     } else if (value instanceof Error) {
       extractErrorFields(key, value, eventData, logEvent);
     } else if (typeof value === 'number') {
       eventData[key] = Math.round(value * 100) / 100;
     } else if (typeof value === 'object') {
-      eventData[key] = stringify(value);
+      eventData[key] = stringify(redactSensitiveFields(value));
+    } else if (typeof value === 'string') {
+      eventData[key] = redactSensitiveDataInString(truncate(value));
     } else {
       eventData[key] = truncate(value);
     }
@@ -76,19 +146,23 @@ function extractErrorFields(
 ) {
   const errorKey = key === 'err' ? 'error' : key;
   const { stack, message, name, ...context } = value;
-  eventData[errorKey + 'Stack'] = truncate(stack);
+  eventData[errorKey + 'Stack'] = redactSensitiveDataInString(truncate(stack));
   if (message) {
-    eventData[errorKey + 'Message'] = truncate(message);
+    eventData[errorKey + 'Message'] = redactSensitiveDataInString(
+      truncate(message),
+    );
     if (!logEvent.message) {
-      logEvent.message = truncate(message);
+      logEvent.message = redactSensitiveDataInString(truncate(message));
     }
   }
   eventData[errorKey + 'Name'] = truncate(name);
   if (value instanceof ApplicationError) {
     eventData[errorKey + 'Code'] = truncate(value.error.code);
-    eventData[errorKey + 'Params'] = stringify(value.error.params);
-  } else if (context && Object.keys(context).length) {
-    eventData[errorKey + 'Context'] = stringify(context);
+    eventData[errorKey + 'Params'] = stringify(
+      redactSensitiveFields(value.error.params),
+    );
+  } else if (Object.keys(context).length) {
+    eventData[errorKey + 'Context'] = stringify(redactSensitiveFields(context));
   }
 }
 

packages/server/shared/test/log-cleaner.test.ts

@@ -137,6 +137,67 @@ describe('log-cleaner', () => {
     });
   });
 
+  describe('sensitive data redaction', () => {
+    it('should redact password field', () => {
+      const logEvent = {
+        event: {
+          email: 'user@example.com',
+          password: 'secret',
+        },
+      };
+
+      const result = cleanLogEvent(logEvent);
+
+      expect(result.event.password).toBe('[REDACTED]');
+      expect(result.event.email).toBe('user@example.com');
+    });
+
+    it('should redact authorization field in objects', () => {
+      const logEvent = {
+        event: {
+          request: {
+            method: 'POST',
+            authorization: 'Bearer token',
+          },
+        },
+      };
+
+      const result = cleanLogEvent(logEvent);
+
+      expect(result.event.request).toContain('[REDACTED]');
+      expect(result.event.request).not.toContain('Bearer token');
+    });
+
+    it('should redact password in stringified JSON', () => {
+      const logEvent = {
+        event: {
+          body: '{"email":"user@example.com","password":"secret"}',
+        },
+      };
+
+      const result = cleanLogEvent(logEvent);
+
+      expect(result.event.body).toContain('[REDACTED]');
+      expect(result.event.body).not.toContain('secret');
+    });
+
+    it('should redact password in nested objects', () => {
+      const logEvent = {
+        event: {
+          request: {
+            email: 'user@example.com',
+            password: 'secret',
+          },
+        },
+      };
+
+      const result = cleanLogEvent(logEvent);
+
+      expect(result.event.request).toContain('[REDACTED]');
+      expect(result.event.request).not.toContain('secret');
+    });
+  });
+
   describe('error objects', () => {
     it('should map error object', () => {
       const error = new Error('test error');