Merge branch 'main' into multipart-support

googleapis · Apr 2, 2024 · 92c4529 · 92c4529
2 parents 21e29dc + 696246c
commit 92c4529
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -160,6 +160,12 @@ over other authentication methods, i.e., application default credentials.
    *
    * Set `false` to disable.
    *
+   * @remarks
+   *
+   * This does not replace the requirement for an active Data Loss Prevention (DLP) provider. For DLP suggestions, see:
+   * - https://cloud.google.com/sensitive-data-protection/docs/redacting-sensitive-data#dlp_deidentify_replace_infotype-nodejs
+   * - https://cloud.google.com/sensitive-data-protection/docs/infotypes-reference#credentials_and_secrets
+   *
    * @experimental
    */
   errorRedactor?: typeof defaultErrorRedactor | false;

diff --git a/package.json b/package.json
@@ -79,7 +79,7 @@
     "puppeteer": "^21.0.0",
     "sinon": "^17.0.0",
     "stream-browserify": "^3.0.0",
-    "tmp": "0.2.1",
+    "tmp": "0.2.3",
     "ts-loader": "^8.0.0",
     "typescript": "^5.1.6",
     "webpack": "^5.35.0",

diff --git a/src/common.ts b/src/common.ts
@@ -216,6 +216,12 @@ export interface GaxiosOptions {
   /**
    * An experimental error redactor.
    *
+   * @remarks
+   *
+   * This does not replace the requirement for an active Data Loss Prevention (DLP) provider. For DLP suggestions, see:
+   * - https://cloud.google.com/sensitive-data-protection/docs/redacting-sensitive-data#dlp_deidentify_replace_infotype-nodejs
+   * - https://cloud.google.com/sensitive-data-protection/docs/infotypes-reference#credentials_and_secrets
+   *
    * @experimental
    */
   errorRedactor?: typeof defaultErrorRedactor | false;
@@ -366,6 +372,16 @@ export function defaultErrorRedactor<T = any>(data: {
       if (/^authentication$/.test(key)) {
         headers[key] = REDACT;
       }
+
+      // any casing of `Authorization`
+      if (/^authorization$/.test(key)) {
+        headers[key] = REDACT;
+      }
+
+      // anything containing secret, such as 'client secret'
+      if (/secret/.test(key)) {
+        headers[key] = REDACT;
+      }
     }
   }
 
@@ -377,7 +393,11 @@ export function defaultErrorRedactor<T = any>(data: {
     ) {
       const text = obj[key];
 
-      if (/grant_type=/.test(text) || /assertion=/.test(text)) {
+      if (
+        /grant_type=/.test(text) ||
+        /assertion=/.test(text) ||
+        /secret/.test(text)
+      ) {
         obj[key] = REDACT;
       }
     }
@@ -392,6 +412,10 @@ export function defaultErrorRedactor<T = any>(data: {
       if ('assertion' in obj) {
         obj['assertion'] = REDACT;
       }
+
+      if ('client_secret' in obj) {
+        obj['client_secret'] = REDACT;
+      }
     }
   }
 
@@ -411,6 +435,10 @@ export function defaultErrorRedactor<T = any>(data: {
         url.searchParams.set('token', REDACT);
       }
 
+      if (url.searchParams.has('client_secret')) {
+        url.searchParams.set('client_secret', REDACT);
+      }
+
       data.config.url = url.toString();
     } catch {
       // ignore error - no need to parse an invalid URL

diff --git a/test/test.getch.ts b/test/test.getch.ts
@@ -767,20 +767,23 @@ describe('🎏 data handling', () => {
 
     const customURL = new URL(url);
     customURL.searchParams.append('token', 'sensitive');
+    customURL.searchParams.append('client_secret', 'data');
     customURL.searchParams.append('random', 'non-sensitive');
 
     const config: GaxiosOptions = {
       headers: {
         authentication: 'My Auth',
+        authorization: 'My Auth',
         'content-type': 'application/x-www-form-urlencoded',
         random: 'data',
       },
       data: {
         grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
         assertion: 'somesensitivedata',
         unrelated: 'data',
+        client_secret: 'data',
       },
-      body: 'grant_type=somesensitivedata&assertion=somesensitivedata',
+      body: 'grant_type=somesensitivedata&assertion=somesensitivedata&client_secret=data',
     };
 
     // simulate JSON response
@@ -819,13 +822,15 @@ describe('🎏 data handling', () => {
       assert.deepStrictEqual(e.config.headers, {
         ...config.headers, // non-redactables should be present
         authentication: REDACT,
+        authorization: REDACT,
       });
 
       // config redactions - data
       assert.deepStrictEqual(e.config.data, {
         ...config.data, // non-redactables should be present
         grant_type: REDACT,
         assertion: REDACT,
+        client_secret: REDACT,
       });
 
       // config redactions - body
@@ -836,6 +841,7 @@ describe('🎏 data handling', () => {
       const resultURL = new URL(e.config.url);
       assert.notDeepStrictEqual(resultURL.toString(), customURL.toString());
       customURL.searchParams.set('token', REDACT);
+      customURL.searchParams.set('client_secret', REDACT);
       assert.deepStrictEqual(resultURL.toString(), customURL.toString());
 
       // response redactions
@@ -844,11 +850,13 @@ describe('🎏 data handling', () => {
       assert.deepStrictEqual(e.response.headers, {
         ...responseHeaders, // non-redactables should be present
         authentication: REDACT,
+        authorization: REDACT,
       });
       assert.deepStrictEqual(e.response.data, {
         ...response, // non-redactables should be present
-        grant_type: REDACT,
         assertion: REDACT,
+        client_secret: REDACT,
+        grant_type: REDACT,
       });
     } finally {
       scope.done();