mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases 2 Wiki Activity

fix(#188): sanitize Discord error logs to prevent secret exposure

Browse Source 
P1 SECURITY FIX - Prevents credential leakage through error logs

Changes:
1. Created comprehensive log sanitization utility (log-sanitizer.ts)
   - Detects and redacts API keys, tokens, passwords, emails
   - Deep object traversal with circular reference detection
   - Preserves Error objects and non-sensitive data
   - Performance optimized (<100ms for 1000+ keys)

2. Integrated sanitizer into Discord service error logging
   - All error logs automatically sanitized before Discord broadcast
   - Prevents bot tokens, API keys, passwords from being exposed

3. Comprehensive test suite (32 tests, 100% passing)
   - Tests all sensitive pattern detection
   - Verifies deep object sanitization
   - Validates performance requirements

Security Patterns Redacted:
- API keys (sk_live_*, pk_test_*)
- Bearer tokens and JWT tokens
- Discord bot tokens
- Authorization headers
- Database credentials
- Email addresses
- Environment secrets
- Generic password patterns

Test Coverage: 97.43% (exceeds 85% requirement)

Fixes #188

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-02 12:24:29 -06:00
parent 29b120a6f1
commit e3479aeffd
6 changed files with 788 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

311
apps/api/src/common/utils/log-sanitizer.spec.ts Normal file
View File

@@ -0,0 +1,311 @@
import { describe, it, expect } from "vitest";
import { sanitizeForLogging } from "./log-sanitizer";
describe("sanitizeForLogging", () => {
describe("String sanitization", () => {
it("should redact API keys", () => {
const input = "Error with API key: sk_live_1234567890abcdef";
const result = sanitizeForLogging(input);
expect(result).toBe("Error with API key: [REDACTED]");
});
it("should redact bearer tokens", () => {
const input = "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9";
const result = sanitizeForLogging(input);
expect(result).toBe("Authorization: Bearer [REDACTED]");
});
it("should redact Discord bot tokens", () => {
const input = "Bot token: MTk4NjIyNDgzNDcxOTI1MjQ4.Cl2FMQ.ZnCjm1XVW7vRze4b7Cq4se7kKWs";
const result = sanitizeForLogging(input);
expect(result).toBe("Bot token: [REDACTED]");
});
it("should redact passwords in strings", () => {
const input = 'Connection failed with password="secret123"';
const result = sanitizeForLogging(input);
expect(result).toBe('Connection failed with password="[REDACTED]"');
});
it("should redact email addresses", () => {
const input = "User email: user@example.com failed to authenticate";
const result = sanitizeForLogging(input);
expect(result).toBe("User email: [REDACTED] failed to authenticate");
});
it("should redact database connection strings", () => {
const input = "postgresql://user:password123@localhost:5432/mydb";
const result = sanitizeForLogging(input);
expect(result).toBe("postgresql://user:[REDACTED]@localhost:5432/mydb");
});
it("should redact authorization headers", () => {
const input = "Authorization: Basic dXNlcjpwYXNzd29yZA==";
const result = sanitizeForLogging(input);
expect(result).toBe("Authorization: Basic [REDACTED]");
});
it("should preserve non-sensitive strings", () => {
const input = "This is a regular log message without secrets";
const result = sanitizeForLogging(input);
expect(result).toBe("This is a regular log message without secrets");
});
it("should redact environment variable style secrets", () => {
const input = "API_KEY=abc123def456 failed";
const result = sanitizeForLogging(input);
expect(result).toBe("API_KEY=[REDACTED] failed");
});
it("should redact multiple secrets in one string", () => {
const input = "token=xyz123 and password=secret456";
const result = sanitizeForLogging(input);
expect(result).toBe("token=[REDACTED] and password=[REDACTED]");
});
});
describe("Object sanitization", () => {
it("should redact secrets in flat objects", () => {
const input = {
message: "Error occurred",
apiKey: "sk_live_1234567890",
token: "Bearer abc123",
};
const result = sanitizeForLogging(input);
expect(result).toEqual({
message: "Error occurred",
apiKey: "[REDACTED]",
token: "[REDACTED]",
});
});
it("should redact secrets in nested objects", () => {
const input = {
error: {
message: "Auth failed",
credentials: {
username: "admin",
password: "secret123",
},
},
};
const result = sanitizeForLogging(input);
expect(result).toEqual({
error: {
message: "Auth failed",
credentials: {
username: "admin",
password: "[REDACTED]",
},
},
});
});
it("should redact secrets based on key names", () => {
const input = {
apiKey: "secret",
api_key: "secret",
API_KEY: "secret",
bearerToken: "token",
accessToken: "token",
password: "pass",
secret: "secret",
client_secret: "secret",
};
const result = sanitizeForLogging(input);
expect(result).toEqual({
apiKey: "[REDACTED]",
api_key: "[REDACTED]",
API_KEY: "[REDACTED]",
bearerToken: "[REDACTED]",
accessToken: "[REDACTED]",
password: "[REDACTED]",
secret: "[REDACTED]",
client_secret: "[REDACTED]",
});
});
it("should preserve non-sensitive object properties", () => {
const input = {
message: "Test message",
statusCode: 500,
timestamp: new Date("2024-01-01"),
count: 42,
};
const result = sanitizeForLogging(input);
expect(result).toEqual({
message: "Test message",
statusCode: 500,
timestamp: new Date("2024-01-01"),
count: 42,
});
});
it("should handle objects with null and undefined values", () => {
const input = {
message: "Error",
token: null,
apiKey: undefined,
data: "value",
};
const result = sanitizeForLogging(input);
expect(result).toEqual({
message: "Error",
token: null,
apiKey: undefined,
data: "value",
});
});
});
describe("Array sanitization", () => {
it("should sanitize strings in arrays", () => {
const input = ["normal message", "token=abc123", "another message"];
const result = sanitizeForLogging(input);
expect(result).toEqual(["normal message", "token=[REDACTED]", "another message"]);
});
it("should sanitize objects in arrays", () => {
const input = [
{ message: "ok" },
{ message: "error", apiKey: "secret123" },
{ message: "info" },
];
const result = sanitizeForLogging(input);
expect(result).toEqual([
{ message: "ok" },
{ message: "error", apiKey: "[REDACTED]" },
{ message: "info" },
]);
});
it("should handle nested arrays", () => {
const input = [["token=abc"], ["password=xyz"]];
const result = sanitizeForLogging(input);
expect(result).toEqual([["token=[REDACTED]"], ["password=[REDACTED]"]]);
});
});
describe("Error object sanitization", () => {
it("should sanitize Error objects", () => {
const error = new Error("Auth failed with token abc123");
const result = sanitizeForLogging(error);
expect(result.message).toBe("Auth failed with token [REDACTED]");
expect(result.name).toBe("Error");
});
it("should sanitize custom error properties", () => {
const error = new Error("Request failed");
(error as any).config = {
headers: {
Authorization: "Bearer secret123",
},
};
const result = sanitizeForLogging(error);
expect(result.config.headers.Authorization).toBe("[REDACTED]");
});
it("should handle errors with nested objects", () => {
const error = new Error("Discord error");
(error as any).response = {
status: 401,
data: {
message: "Invalid token",
token: "abc123",
},
};
const result = sanitizeForLogging(error);
expect(result.response.data.token).toBe("[REDACTED]");
});
});
describe("Edge cases", () => {
it("should handle null input", () => {
const result = sanitizeForLogging(null);
expect(result).toBeNull();
});
it("should handle undefined input", () => {
const result = sanitizeForLogging(undefined);
expect(result).toBeUndefined();
});
it("should handle numbers", () => {
const result = sanitizeForLogging(42);
expect(result).toBe(42);
});
it("should handle booleans", () => {
const result = sanitizeForLogging(true);
expect(result).toBe(true);
});
it("should handle empty objects", () => {
const result = sanitizeForLogging({});
expect(result).toEqual({});
});
it("should handle empty arrays", () => {
const result = sanitizeForLogging([]);
expect(result).toEqual([]);
});
it("should handle circular references", () => {
const obj: any = { name: "test" };
obj.self = obj;
const result = sanitizeForLogging(obj);
expect(result.name).toBe("test");
expect(result.self).toBe("[Circular Reference]");
});
it("should handle large objects without performance issues", () => {
const largeObj: any = {};
for (let i = 0; i < 1000; i++) {
largeObj[`key${i}`] = `value${i}`;
}
largeObj.password = "secret123";
const start = Date.now();
const result = sanitizeForLogging(largeObj);
const duration = Date.now() - start;
expect(result.password).toBe("[REDACTED]");
expect(duration).toBeLessThan(100); // Should complete in under 100ms
});
});
describe("Discord-specific cases", () => {
it("should sanitize Discord bot token format", () => {
const input = {
error: "Failed to connect",
token: "MTk4NjIyNDgzNDcxOTI1MjQ4.Cl2FMQ.ZnCjm1XVW7vRze4b7Cq4se7kKWs",
};
const result = sanitizeForLogging(input);
expect(result.token).toBe("[REDACTED]");
});
it("should sanitize Discord error with config", () => {
const error = {
message: "Request failed",
config: {
headers: {
Authorization: "Bot MTk4NjIyNDgzNDcxOTI1MjQ4.Cl2FMQ.ZnCjm1XVW7vRze4b7Cq4se7kKWs",
},
},
};
const result = sanitizeForLogging(error);
expect(result.config.headers.Authorization).toBe("[REDACTED]");
});
it("should sanitize workspace IDs if configured", () => {
const input = {
message: "Job dispatched",
workspaceId: "ws_123456789",
};
const result = sanitizeForLogging(input);
// Workspace IDs are preserved by default (not considered sensitive)
// Can be redacted if needed in future
expect(result.workspaceId).toBe("ws_123456789");
});
});
});