Skip to content

Commit

Permalink
fix: RD-13882-LUMIGO_SECRET_MASKING_-envs-are-still-masked-in-spans (#…
Browse files Browse the repository at this point in the history
…521)

* feat: lumigo secret env variable not masking
  • Loading branch information
eugene-lumigo authored Oct 28, 2024
1 parent 6791653 commit b9f7bae
Show file tree
Hide file tree
Showing 3 changed files with 46 additions and 0 deletions.
1 change: 1 addition & 0 deletions src/utils.ts
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@ export const BYPASS_MASKING_KEYS = [
LUMIGO_SECRET_MASKING_REGEX_ENVIRONMENT,
LUMIGO_SECRET_MASKING_REGEX_HTTP_QUERY_PARAMS,
LUMIGO_SECRET_MASKING_EXACT_PATH,
LUMIGO_SECRET_MASKING_DEBUG,
];

export const LUMIGO_EVENT_KEY = '_lumigo';
Expand Down
2 changes: 2 additions & 0 deletions src/utils/payloadStringify.js
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ const keyToRegexes = (
const regexes =
tryParseEnvVar(backwardCompRegexEnvVarName) || tryParseEnvVar(regexesEnvVarName) || regexesList;

logSecretMaskingDebug(logger, 'Parsed regexes', { regexes });
try {
return regexes.map((x) => new RegExp(x, 'i'));
} catch (e) {
Expand Down Expand Up @@ -229,6 +230,7 @@ export const payloadStringify = (
if (totalSize < maxPayloadSize) {
if (
!shouldSkipSecretScrub &&
!BYPASS_MASKING_KEYS.includes(key) &&
!keyContainsRegex(whitelistRegexes, key) &&
keyContainsRegex(secretsRegexes, key)
) {
Expand Down
43 changes: 43 additions & 0 deletions src/utils/payloadStringify.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,12 @@ import {
LUMIGO_SECRET_MASKING_REGEX_BACKWARD_COMP,
LUMIGO_SECRET_MASKING_REGEX_HTTP_REQUEST_BODIES,
LUMIGO_WHITELIST_KEYS_REGEXES,
LUMIGO_SECRET_MASKING_REGEX_HTTP_REQUEST_HEADERS,
LUMIGO_SECRET_MASKING_REGEX_HTTP_RESPONSE_BODIES,
LUMIGO_SECRET_MASKING_REGEX_HTTP_RESPONSE_HEADERS,
LUMIGO_SECRET_MASKING_REGEX_ENVIRONMENT,
LUMIGO_SECRET_MASKING_REGEX_HTTP_QUERY_PARAMS,
LUMIGO_SECRET_MASKING_DEBUG,
} from '../utils';
import { keyToOmitRegexes, payloadStringify, shallowMask, truncate } from './payloadStringify';
import { ConsoleWritesForTesting } from '../../testUtils/consoleMocker';
Expand Down Expand Up @@ -108,6 +114,43 @@ describe('payloadStringify', () => {
expect(result).toEqual('{"a":2,"password":"****"}');
});

test.each(
[
LUMIGO_SECRET_MASKING_REGEX,
LUMIGO_SECRET_MASKING_REGEX_BACKWARD_COMP,
LUMIGO_SECRET_MASKING_REGEX_HTTP_REQUEST_BODIES,
LUMIGO_SECRET_MASKING_REGEX_HTTP_REQUEST_HEADERS,
LUMIGO_SECRET_MASKING_REGEX_HTTP_RESPONSE_BODIES,
LUMIGO_SECRET_MASKING_REGEX_HTTP_RESPONSE_HEADERS,
LUMIGO_SECRET_MASKING_REGEX_ENVIRONMENT,
LUMIGO_SECRET_MASKING_REGEX_HTTP_QUERY_PARAMS,
LUMIGO_SECRET_MASKING_EXACT_PATH,
LUMIGO_SECRET_MASKING_DEBUG,
],
'payloadStringify -> should not mask masking the env-var %s',
(envVar) => {
const someValue = 'a';

expect(payloadStringify({ [envVar]: someValue })).toEqual(`{"${env}":"${someValue}"}`);
}
);

test('payloadStringify -> LUMIGO_SECRET_MASKING_REGEX', () => {
process.env[LUMIGO_SECRET_MASKING_REGEX] = JSON.stringify(['.*masking.*']);
const payload = {
a: 2,
aMaskingB: 'CoolPass35',
LUMIGO_SECRET_MASKING_REGEX: 'should not be masked',
};

const result = payloadStringify(payload);

expect(result).toEqual(
'{"a":2,"aMaskingB":"****","LUMIGO_SECRET_MASKING_REGEX":"should not be masked"}'
);
process.env[LUMIGO_SECRET_MASKING_REGEX] = undefined;
});

test('payloadStringify -> truncate after 10B', () => {
const payload = {
a: 2,
Expand Down

0 comments on commit b9f7bae

Please sign in to comment.