fix(#289): Prevent private key decryption error data leaks

Modified decrypt() error handling to only log error type without stack traces, error details, or encrypted content. Added test to verify sensitive data is not exposed in logs. Security improvement: Prevents leakage of encrypted data or partial decryption results through error logs. Fixes #289 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-03 21:35:15 -06:00
parent ecb33a17fe
commit 77d1d14e08
2 changed files with 31 additions and 2 deletions
--- a/apps/api/src/federation/crypto.service.spec.ts
+++ b/apps/api/src/federation/crypto.service.spec.ts
@@ -2,10 +2,11 @@
 * Crypto Service Tests
 */

-import { describe, it, expect, beforeEach } from "vitest";
+import { describe, it, expect, beforeEach, vi } from "vitest";
 import { Test, TestingModule } from "@nestjs/testing";
 import { ConfigService } from "@nestjs/config";
 import { CryptoService } from "./crypto.service";
+import { Logger } from "@nestjs/common";

 describe("CryptoService", () => {
  let service: CryptoService;
@@ -137,6 +138,31 @@ describe("CryptoService", () => {
      // Act & Assert
      expect(() => service.decrypt(corrupted)).toThrow("Failed to decrypt data");
    });
+
+    it("should not log sensitive data in error messages", () => {
+      // Arrange
+      const loggerErrorSpy = vi.spyOn(Logger.prototype, "error");
+      const corruptedData = "corrupted:data:here";
+
+      // Act & Assert
+      expect(() => service.decrypt(corruptedData)).toThrow("Failed to decrypt data");
+
+      // Verify logger was called with safe message
+      expect(loggerErrorSpy).toHaveBeenCalled();
+      const logCall = loggerErrorSpy.mock.calls[0];
+
+      // First argument should contain error type but not sensitive data
+      expect(logCall[0]).toMatch(/Decryption failed:/);
+
+      // Should NOT log the actual error object with stack traces
+      expect(logCall.length).toBe(1); // Only one argument (the message)
+
+      // Verify the corrupted data is not in the log
+      const logMessage = logCall[0] as string;
+      expect(logMessage).not.toContain(corruptedData);
+
+      loggerErrorSpy.mockRestore();
+    });
  });

  describe("encrypt/decrypt round-trip", () => {