Merge pull request #488 from vtex/3.x-sensitive-data

valentino-amadeus · web-flow · commit 10a7fda0d24b · 2022-02-24T13:44:07.000-03:00
[3.x] Fix / Remove sensitive data from logs
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## [3.77.5] - 2022-02-24
+### Fixed
+- Remove sensitive data from logs.
+
 ## [3.77.4] - 2021-10-22
 
 ## [3.77.3] - 2021-10-22
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@vtex/api",
-  "version": "3.77.4",
+  "version": "3.77.5",
   "description": "VTEX I/O API client",
   "main": "lib/index.js",
   "typings": "lib/index.d.ts",
diff --git a/src/service/graphql/middlewares/formatters.ts b/src/service/graphql/middlewares/formatters.ts
@@ -1,7 +1,8 @@
 import { formatApolloErrors } from 'apollo-server-errors'
 import { omit, pick } from 'ramda'
 
-import { cleanError, SENSITIVE_EXCEPTION_FIELDS } from '../../../utils/error'
+import { cleanError } from '../../../utils/error'
+import { FIRST_LEVEL_SENSITIVE_FIELDS as SENSITIVE_EXCEPTION_FIELDS } from '../../../utils/log'
 import { GraphQLServiceContext } from '../typings'
 
 const ERROR_FIELD_WHITELIST = ['message', 'path', 'stack', 'extensions', 'statusCode', 'name', 'headers', 'originalError', 'code']
diff --git a/src/service/http/middlewares/error.ts b/src/service/http/middlewares/error.ts
@@ -3,7 +3,8 @@ import { LogLevel } from '../../../clients/Logger'
 import { LINKED } from '../../../constants'
 import { cancelledRequestStatus, RequestCancelledError } from '../../../errors/RequestCancelledError'
 import { TooManyRequestsError, tooManyRequestsStatus } from '../../../errors/TooManyRequestsError'
-import { cleanError, SENSITIVE_EXCEPTION_FIELDS } from '../../../utils/error'
+import { cleanError } from '../../../utils/error'
+import { FIRST_LEVEL_SENSITIVE_FIELDS as SENSITIVE_EXCEPTION_FIELDS } from '../../../utils/log'
 import { ServiceContext } from '../../typings'
 
 const CACHE_CONTROL_HEADER = 'cache-control'
diff --git a/src/service/logger/index.ts b/src/service/logger/index.ts
@@ -1,5 +1,6 @@
 import { IOContext } from '../../service/typings'
 import { cleanError } from '../../utils/error'
+import { cleanLog } from '../../utils/log'
 
 const linked = !!process.env.VTEX_APP_LINK
 const app = process.env.VTEX_APP_ID
@@ -44,7 +45,9 @@ export class Logger {
 
   public log = (message: any, level: LogLevel): void => {
     const data = message ? cleanError(message) : EMPTY_MESSAGE
-    
+
+    cleanLog(data)
+
     /* tslint:disable:object-literal-sort-keys */
     const inflatedLog = {
       __VTEX_IO_LOG: true,
diff --git a/src/utils/error.ts b/src/utils/error.ts
@@ -2,7 +2,6 @@
 import { find, keys, pick } from 'ramda'
 
 export const PICKED_AXIOS_PROPS = ['baseURL', 'cacheable', 'data', 'finished', 'headers', 'method', 'timeout', 'status', 'path', 'url', 'metric', 'inflightKey', 'forceMaxAge', 'params', 'responseType']
-export const SENSITIVE_EXCEPTION_FIELDS = ['config', 'request', 'stack']
 
 const MAX_ERROR_STRING_LENGTH = process.env.MAX_ERROR_STRING_LENGTH ? parseInt(process.env.MAX_ERROR_STRING_LENGTH, 10) : 8 * 1024
 
diff --git a/src/utils/log.ts b/src/utils/log.ts
@@ -0,0 +1,14 @@
+export const FIRST_LEVEL_SENSITIVE_FIELDS = ['config', 'request', 'stack', 'error']
+export const SECOND_LEVEL_SENSITIVE_FIELDS = [ ['parsedInfo', 'requestConfig'], ['headers', 'cookie'] ]
+
+export const cleanLog = (log: any) => {
+    FIRST_LEVEL_SENSITIVE_FIELDS.forEach(field => {
+        delete log[field]
+    })
+
+    SECOND_LEVEL_SENSITIVE_FIELDS.forEach(field => {
+        if (field[0] in log) {
+            delete log[field[0]][field[1]]
+        }
+    })
+}

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@vtex/api",`
`3`		`- "version": "3.77.4",`
	`3`	`+ "version": "3.77.5",`
`4`	`4`	`"description": "VTEX I/O API client",`
`5`	`5`	`"main": "lib/index.js",`
`6`	`6`	`"typings": "lib/index.d.ts",`