feat: add a mechanism to filter sensitive information in the logger

related #132
OpenPathfinder · Dec 17, 2024 · dd03cbc · dd03cbc
1 parent 3e40151
commit dd03cbc
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 1 deletion.
diff --git a/__tests__/utils.test.js b/__tests__/utils.test.js
@@ -1,4 +1,4 @@
-const { validateGithubUrl, ensureGithubToken, groupArrayItemsByCriteria, isCheckApplicableToProjectCategory, getSeverityFromPriorityGroup, isDateWithinPolicy } = require('../src/utils/index')
+const { validateGithubUrl, ensureGithubToken, groupArrayItemsByCriteria, isCheckApplicableToProjectCategory, getSeverityFromPriorityGroup, isDateWithinPolicy, redactSensitiveData } = require('../src/utils/index')
 
 describe('ensureGithubToken', () => {
   let originalGithubToken
@@ -156,3 +156,15 @@ describe('isDateWithinPolicy', () => {
     expect(() => isDateWithinPolicy(undefined, policy)).toThrow('Target date is required')
   })
 })
+
+describe('redactSensitiveData', () => {
+  it('should redact sensitive data from a string', () => {
+    const input = 'This has a token: ghp_234 and other information'
+    const expected = 'This has a token: [REDACTED] and other information'
+    expect(redactSensitiveData(input)).toBe(expected)
+  })
+  it('Should return the same string if no sensitive data is found', () => {
+    const input = 'This is a normal string'
+    expect(redactSensitiveData(input)).toBe(input)
+  })
+})
diff --git a/src/utils/index.js b/src/utils/index.js
@@ -1,7 +1,30 @@
 const { add, parseISO, isBefore } = require('date-fns')
 const isURL = require('validator/lib/isURL.js')
 const pinoInit = require('pino')
+
+// GitHub token pattern: looks for patterns matching the GitHub token structure
+const GITHUB_TOKEN_PATTERN = /\b(ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{1,255}\b/g
+
+// A helper function to redact sensitive data
+const redactSensitiveData = value => {
+  if (typeof value === 'string') {
+    return value.replace(GITHUB_TOKEN_PATTERN, '[REDACTED]')
+  }
+  return value
+}
+
 const logger = pinoInit({
+  hooks: {
+    logMethod (inputArgs, method) {
+      const [msg, obj] = inputArgs
+
+      // Redact sensitive data from message that are outside of the https://github.com/pinojs/pino/blob/main/docs/redaction.md capabilities.
+      const cleanMsg = redactSensitiveData(msg)
+      const cleanObj = redactSensitiveData(obj)
+
+      return method.apply(this, [cleanMsg, cleanObj])
+    }
+  },
   transport: {
     target: 'pino-pretty',
     options: {
@@ -103,5 +126,6 @@ module.exports = {
   getSeverityFromPriorityGroup,
   isCheckApplicableToProjectCategory,
   groupArrayItemsByCriteria,
+  redactSensitiveData,
   logger
 }