Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add client_secret to defaultErrorRedactor #604

Closed
khitrenovich opened this issue Feb 20, 2024 · 2 comments · Fixed by #609
Closed

feat: Add client_secret to defaultErrorRedactor #604

khitrenovich opened this issue Feb 20, 2024 · 2 comments · Fixed by #609
Labels
good first issue This issue is a good place to started contributing to this repository. priority: p3 Desirable enhancement or fix. May not be included in next release. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.

Comments

@khitrenovich
Copy link

khitrenovich commented Feb 20, 2024
edited
Loading

Is your feature request related to a problem? Please describe.

We recently realized that while some sensitive data is being filtered automatically from being logged, we see client_secret data fields are not. Upon some digging into the gaxios code, I found that defaultErrorRedactor is built to redact errors and is responsible for masking the rest of the fields, but client_secret is not handled.

Describe the solution you'd like

I would like defaultErrorRedactor to mask client_secret (or maybe just any /secret/ field). This will benefit all the customers.

Describe alternatives you've considered

Alternative is to implement own error redactor, duplicating the code that is already there, and mask client_secret too. Then we will have to use it everywhere we use gaxios, which is error-prone since it is easy to miss places. Same goes for an alternative to redact the error object after it was already thrown.

Additional context

N/A
@khitrenovich khitrenovich added priority: p3 Desirable enhancement or fix. May not be included in next release. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. labels Feb 20, 2024
@danielbankhead
Copy link
Member

I think this is a worthwhile security enhancement - thanks for filling! Once we have some bandwidth we'll work on adding this via a /secret/ regex.

@danielbankhead danielbankhead changed the title Add client_secret to defaultErrorRedactor feat: Add client_secret to defaultErrorRedactor Mar 6, 2024
@danielbankhead danielbankhead added the good first issue This issue is a good place to started contributing to this repository. label Mar 6, 2024
@danielbankhead danielbankhead mentioned this issue Apr 2, 2024
Merged
@danielbankhead
Copy link
Member

Circling back, opened a PR to resolve:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue This issue is a good place to started contributing to this repository. priority: p3 Desirable enhancement or fix. May not be included in next release. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Enhance Error Redaction googleapis/gaxios
2 participants
@khitrenovich @danielbankhead