mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

Security Sprint M7.1: Fix P1 Security Issues (#283, #288, #289, #290) #319

Merged
jason.woltje merged 4 commits from fix/283-connection-status-validation into develop 2026-02-04 03:38:20 +00:00
Conversation 0 Commits 4 Files Changed 10 +31 -2
2 changed files with 31 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 77d1d14e08 - Show all commits

28
apps/api/src/federation/crypto.service.spec.ts
View File

@@ -2,10 +2,11 @@
* Crypto Service Tests
*/
import { describe, it, expect, beforeEach } from "vitest";
import { describe, it, expect, beforeEach, vi } from "vitest";
import { Test, TestingModule } from "@nestjs/testing";
import { ConfigService } from "@nestjs/config";
import { CryptoService } from "./crypto.service";
import { Logger } from "@nestjs/common";
describe("CryptoService", () => {
let service: CryptoService;
@@ -137,6 +138,31 @@ describe("CryptoService", () => {
// Act & Assert
expect(() => service.decrypt(corrupted)).toThrow("Failed to decrypt data");
});
it("should not log sensitive data in error messages", () => {
// Arrange
const loggerErrorSpy = vi.spyOn(Logger.prototype, "error");
const corruptedData = "corrupted:data:here";
// Act & Assert
expect(() => service.decrypt(corruptedData)).toThrow("Failed to decrypt data");
// Verify logger was called with safe message
expect(loggerErrorSpy).toHaveBeenCalled();
const logCall = loggerErrorSpy.mock.calls[0];
// First argument should contain error type but not sensitive data
expect(logCall[0]).toMatch(/Decryption failed:/);
// Should NOT log the actual error object with stack traces
expect(logCall.length).toBe(1); // Only one argument (the message)
// Verify the corrupted data is not in the log
const logMessage = logCall[0] as string;
expect(logMessage).not.toContain(corruptedData);
loggerErrorSpy.mockRestore();
});
});
describe("encrypt/decrypt round-trip", () => {

5
apps/api/src/federation/crypto.service.ts
View File

@@ -90,7 +90,10 @@ export class CryptoService {
return decrypted;
} catch (error) {
this.logger.error("Decryption failed", error);
// Security: Do not log error details which may contain sensitive data
// Only log error type/code without stack trace or encrypted content
const errorType = error instanceof Error ? error.constructor.name : "Unknown";
this.logger.error(`Decryption failed: ${errorType}`);
throw new Error("Failed to decrypt data");
}
}