Skip to content

Commit

Permalink
Merge pull request #814 from snyk/chore/hide-ghsa-access-tokens-in-logs
Browse files Browse the repository at this point in the history
chore: add log sanitiztion for uni brkr and plugins
  • Loading branch information
aarlaud authored Sep 5, 2024
2 parents 95bf037 + e137281 commit d9668ed
Showing 1 changed file with 73 additions and 0 deletions.
73 changes: 73 additions & 0 deletions lib/logs/logger.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@ import bunyan from 'bunyan';
import escapeRegExp from 'lodash.escaperegexp';
import mapValues from 'lodash.mapvalues';
import { getConfig } from '../common/config/config';
import {
getPluginsConfig,
getPluginsConfigByConnectionKey,
} from '../common/config/pluginsConfig';

const sanitiseConfigVariable = (raw, variable) =>
raw.replace(
Expand All @@ -20,6 +24,35 @@ const sanitiseConfigVariables = (raw, variable) => {
return raw;
};

const sanitiseConnectionConfigVariables = (
raw,
variable,
connections,
connectionKey,
) => {
for (const cfgVar of Object.keys(connections[connectionKey])) {
if (cfgVar == variable) {
raw = raw.replace(
new RegExp(escapeRegExp(connections[connectionKey][cfgVar]), 'igm'),
'${' + variable + '}',
);
}
}
return raw;
};

const sanitisePluginsConfigVariables = (raw, variable, pluginConfig) => {
for (const cfgVar of Object.keys(pluginConfig)) {
if (cfgVar == variable) {
raw = raw.replace(
new RegExp(escapeRegExp(pluginConfig[cfgVar]), 'igm'),
'${' + variable + '}',
);
}
}
return raw;
};

const sanitiseConfigValue = (raw, value, text) =>
raw.replace(value, '${' + text + '}');

Expand All @@ -46,9 +79,11 @@ export const sanitise = (raw) => {
'GITHUB_TOKEN_POOL',
'BITBUCKET_USERNAME',
'BITBUCKET_PASSWORD',
'BITBUCKET_PAT',
'GITLAB_TOKEN',
'JIRA_USERNAME',
'JIRA_PASSWORD',
'JIRA_PAT',
'AZURE_REPOS_TOKEN',
'ARTIFACTORY_URL',
'CR_CREDENTIALS',
Expand All @@ -65,7 +100,14 @@ export const sanitise = (raw) => {
'GIT_CLIENT_URL',
'NEXUS_URL',
'BASE_NEXUS_URL',
'CHECKMARX_PASSWORD',
'SONARQUBE_API_TOKEN',
];
const universalBrokerConnectionsVariables = [
...variables,
'GITHUB_APP_CLIENT_ID',
];
const universalBrokerPluginsVariables = ['GHA_ACCESS_TOKEN', 'JWT_TOKEN'];

for (const variable of variables) {
// Copies original `raw`, doesn't mutate it.
Expand All @@ -80,13 +122,42 @@ export const sanitise = (raw) => {
raw = sanitiseConfigVariables(raw, pool);
}
}
if (config.universalBrokerEnabled) {
for (const variable of universalBrokerConnectionsVariables) {
for (const connectionKey of Object.keys(config.connections)) {
raw = sanitiseConnectionConfigVariables(
raw,
variable,
config.connections,
connectionKey,
);
}
}
for (const variable of universalBrokerPluginsVariables) {
for (const connectionKey of Object.keys(getPluginsConfig())) {
raw = sanitisePluginsConfigVariables(
raw,
variable,
getPluginsConfigByConnectionKey(connectionKey),
);
}
}
}

return raw;
};

function sanitiseObject(obj) {
return mapValues(obj, (v) => sanitise(v));
}
function sanitiseConnection(connection) {
const connectionObj = JSON.parse(JSON.stringify(connection));
return sanitiseObject(connectionObj);
}
function sanitisePlugins(pluginData) {
const pluginObj = JSON.parse(JSON.stringify(pluginData));
return sanitiseObject(pluginObj);
}

function sanitiseHeaders(headers) {
const hdrs = JSON.parse(JSON.stringify(headers));
Expand Down Expand Up @@ -132,8 +203,10 @@ export const log = bunyan.createLogger({
headers: sanitiseHeaders,
responseHeaders: sanitiseHeaders,
requestHeaders: sanitiseHeaders,
connection: sanitiseConnection,
err: serialiseError,
error: serialiseError,
accessToken: sanitisePlugins,
},
});
type LogLevels = 'fatal' | 'error' | 'warn' | 'info' | 'debug' | 'trace';
Expand Down

0 comments on commit d9668ed

Please sign in to comment.