feat(links): allow Safe Browsing threats to only be logged

src/server/config.ts

@@ -167,6 +167,8 @@ export const cspOnlyReportViolations =
   process.env.CSP_ONLY_REPORT_VIOLATIONS === 'true'
 export const cspReportUri = process.env.CSP_REPORT_URI
 
+export const safeBrowsingLogOnly = process.env.SAFE_BROWSING_LOG_ONLY === 'true'
+
 export const cloudmersiveKey: string | undefined = process.env.CLOUDMERSIVE_KEY
 export const safeBrowsingKey: string | undefined = process.env.SAFE_BROWSING_KEY
 

src/server/services/SafeBrowsingService.ts

@@ -1,7 +1,7 @@
 import fetch from 'cross-fetch'
 import { injectable } from 'inversify'
 import { UrlThreatScanServiceInterface } from './interfaces/UrlThreatScanServiceInterface'
-import { logger, safeBrowsingKey } from '../config'
+import { logger, safeBrowsingKey, safeBrowsingLogOnly } from '../config'
 
 const ENDPOINT = `https://safebrowsing.googleapis.com/v4/threatMatches:find?key=${safeBrowsingKey}`
 
@@ -44,21 +44,25 @@ export class SafeBrowsingService implements UrlThreatScanServiceInterface {
       body: JSON.stringify(request),
     })
     if (!response.ok) {
-      throw new Error(
+      const error = new Error(
         `Safe Browsing failure:\tError: ${response.statusText}\thttpResponse: ${response}\t body:${response.body}`,
       )
+      if (safeBrowsingLogOnly) {
+        logger.error(error)
+      } else {
+        throw error
+      }
     }
     const result = await response.json()
     if (result?.matches) {
+      const prefix = safeBrowsingLogOnly
+        ? 'Considered threat by Safe Browsing but ignoring'
+        : 'Malicious link content'
       logger.warn(
-        `Malicious link content: ${url} yields ${JSON.stringify(
-          result.matches,
-          null,
-          2,
-        )}`,
+        `${prefix}: ${url} yields ${JSON.stringify(result.matches, null, 2)}`,
       )
     }
-    return Boolean(result?.matches)
+    return safeBrowsingLogOnly && Boolean(result?.matches)
   }
 }