Merge pull request #495 from vtex/3.x-sensitive-data

[3.x] Fix / Only remove cookie fields when removing sensitive data from logs

Author: valentino-amadeus

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## [3.77.6] - 2022-03-08
+### Fixed
+- Only remove cookie fields when removing sensitive data from logs.
+
 ## [3.77.5] - 2022-02-24
 ### Fixed
 - Remove sensitive data from logs.

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vtex/api",
-  "version": "3.77.5",
+  "version": "3.77.6",
   "description": "VTEX I/O API client",
   "main": "lib/index.js",
   "typings": "lib/index.d.ts",

src/service/graphql/middlewares/formatters.ts

@@ -1,8 +1,7 @@
 import { formatApolloErrors } from 'apollo-server-errors'
 import { omit, pick } from 'ramda'
 
-import { cleanError } from '../../../utils/error'
-import { FIRST_LEVEL_SENSITIVE_FIELDS as SENSITIVE_EXCEPTION_FIELDS } from '../../../utils/log'
+import { cleanError, SENSITIVE_EXCEPTION_FIELDS } from '../../../utils/error'
 import { GraphQLServiceContext } from '../typings'
 
 const ERROR_FIELD_WHITELIST = ['message', 'path', 'stack', 'extensions', 'statusCode', 'name', 'headers', 'originalError', 'code']

src/service/http/middlewares/error.ts

@@ -3,8 +3,7 @@ import { LogLevel } from '../../../clients/Logger'
 import { LINKED } from '../../../constants'
 import { cancelledRequestStatus, RequestCancelledError } from '../../../errors/RequestCancelledError'
 import { TooManyRequestsError, tooManyRequestsStatus } from '../../../errors/TooManyRequestsError'
-import { cleanError } from '../../../utils/error'
-import { FIRST_LEVEL_SENSITIVE_FIELDS as SENSITIVE_EXCEPTION_FIELDS } from '../../../utils/log'
+import { cleanError, SENSITIVE_EXCEPTION_FIELDS } from '../../../utils/error'
 import { ServiceContext } from '../../typings'
 
 const CACHE_CONTROL_HEADER = 'cache-control'

src/utils/error.ts

@@ -2,6 +2,7 @@
 import { find, keys, pick } from 'ramda'
 
 export const PICKED_AXIOS_PROPS = ['baseURL', 'cacheable', 'data', 'finished', 'headers', 'method', 'timeout', 'status', 'path', 'url', 'metric', 'inflightKey', 'forceMaxAge', 'params', 'responseType']
+export const SENSITIVE_EXCEPTION_FIELDS = ['config', 'request', 'stack']
 
 const MAX_ERROR_STRING_LENGTH = process.env.MAX_ERROR_STRING_LENGTH ? parseInt(process.env.MAX_ERROR_STRING_LENGTH, 10) : 8 * 1024
 

src/utils/json.ts

@@ -0,0 +1,17 @@
+export function cleanJson(json: {[k: string]: any}, targetFields: string[]) {
+    for (const key of Object.keys(json)) {
+        let deleted = false
+        for (const field of targetFields) {
+            if (key === field) {
+                delete json[key]
+                deleted = true
+            }
+        }
+
+        if (!deleted && json[key] && typeof json[key] === 'object') {
+            json[key] = cleanJson(json[key], targetFields)
+        }
+    }
+
+    return json
+}

src/utils/log.ts

@@ -1,14 +1,7 @@
-export const FIRST_LEVEL_SENSITIVE_FIELDS = ['config', 'request', 'stack', 'error']
-export const SECOND_LEVEL_SENSITIVE_FIELDS = [ ['parsedInfo', 'requestConfig'], ['headers', 'cookie'] ]
+import { cleanJson } from './json'
 
-export const cleanLog = (log: any) => {
-    FIRST_LEVEL_SENSITIVE_FIELDS.forEach(field => {
-        delete log[field]
-    })
+const SENSITIVE_FIELDS = ['cookie', 'Cookie', 'vtexIdclientautcookie', 'error']
 
-    SECOND_LEVEL_SENSITIVE_FIELDS.forEach(field => {
-        if (field[0] in log) {
-            delete log[field[0]][field[1]]
-        }
-    })
-}
+export const cleanLog = (log: {[k: string]: any}) => {
+    return cleanJson(log, SENSITIVE_FIELDS)
+}