fix: RD-13882-LUMIGO_SECRET_MASKING_-envs-are-still-masked-in-spans (#521)

eugene-lumigo · web-flow · commit b9f7baef967f · 2024-10-28T12:44:16.000+01:00
* feat: lumigo secret env variable not masking
diff --git a/src/utils.ts b/src/utils.ts
@@ -70,6 +70,7 @@ export const BYPASS_MASKING_KEYS = [
   LUMIGO_SECRET_MASKING_REGEX_ENVIRONMENT,
   LUMIGO_SECRET_MASKING_REGEX_HTTP_QUERY_PARAMS,
   LUMIGO_SECRET_MASKING_EXACT_PATH,
+  LUMIGO_SECRET_MASKING_DEBUG,
 ];
 
 export const LUMIGO_EVENT_KEY = '_lumigo';
diff --git a/src/utils/payloadStringify.js b/src/utils/payloadStringify.js
@@ -52,6 +52,7 @@ const keyToRegexes = (
   const regexes =
     tryParseEnvVar(backwardCompRegexEnvVarName) || tryParseEnvVar(regexesEnvVarName) || regexesList;
 
+  logSecretMaskingDebug(logger, 'Parsed regexes', { regexes });
   try {
     return regexes.map((x) => new RegExp(x, 'i'));
   } catch (e) {
@@ -229,6 +230,7 @@ export const payloadStringify = (
       if (totalSize < maxPayloadSize) {
         if (
           !shouldSkipSecretScrub &&
+          !BYPASS_MASKING_KEYS.includes(key) &&
           !keyContainsRegex(whitelistRegexes, key) &&
           keyContainsRegex(secretsRegexes, key)
         ) {
diff --git a/src/utils/payloadStringify.test.js b/src/utils/payloadStringify.test.js
@@ -7,6 +7,12 @@ import {
   LUMIGO_SECRET_MASKING_REGEX_BACKWARD_COMP,
   LUMIGO_SECRET_MASKING_REGEX_HTTP_REQUEST_BODIES,
   LUMIGO_WHITELIST_KEYS_REGEXES,
+  LUMIGO_SECRET_MASKING_REGEX_HTTP_REQUEST_HEADERS,
+  LUMIGO_SECRET_MASKING_REGEX_HTTP_RESPONSE_BODIES,
+  LUMIGO_SECRET_MASKING_REGEX_HTTP_RESPONSE_HEADERS,
+  LUMIGO_SECRET_MASKING_REGEX_ENVIRONMENT,
+  LUMIGO_SECRET_MASKING_REGEX_HTTP_QUERY_PARAMS,
+  LUMIGO_SECRET_MASKING_DEBUG,
 } from '../utils';
 import { keyToOmitRegexes, payloadStringify, shallowMask, truncate } from './payloadStringify';
 import { ConsoleWritesForTesting } from '../../testUtils/consoleMocker';
@@ -108,6 +114,43 @@ describe('payloadStringify', () => {
     expect(result).toEqual('{"a":2,"password":"****"}');
   });
 
+  test.each(
+    [
+      LUMIGO_SECRET_MASKING_REGEX,
+      LUMIGO_SECRET_MASKING_REGEX_BACKWARD_COMP,
+      LUMIGO_SECRET_MASKING_REGEX_HTTP_REQUEST_BODIES,
+      LUMIGO_SECRET_MASKING_REGEX_HTTP_REQUEST_HEADERS,
+      LUMIGO_SECRET_MASKING_REGEX_HTTP_RESPONSE_BODIES,
+      LUMIGO_SECRET_MASKING_REGEX_HTTP_RESPONSE_HEADERS,
+      LUMIGO_SECRET_MASKING_REGEX_ENVIRONMENT,
+      LUMIGO_SECRET_MASKING_REGEX_HTTP_QUERY_PARAMS,
+      LUMIGO_SECRET_MASKING_EXACT_PATH,
+      LUMIGO_SECRET_MASKING_DEBUG,
+    ],
+    'payloadStringify -> should not mask masking the env-var %s',
+    (envVar) => {
+      const someValue = 'a';
+
+      expect(payloadStringify({ [envVar]: someValue })).toEqual(`{"${env}":"${someValue}"}`);
+    }
+  );
+
+  test('payloadStringify -> LUMIGO_SECRET_MASKING_REGEX', () => {
+    process.env[LUMIGO_SECRET_MASKING_REGEX] = JSON.stringify(['.*masking.*']);
+    const payload = {
+      a: 2,
+      aMaskingB: 'CoolPass35',
+      LUMIGO_SECRET_MASKING_REGEX: 'should not be masked',
+    };
+
+    const result = payloadStringify(payload);
+
+    expect(result).toEqual(
+      '{"a":2,"aMaskingB":"****","LUMIGO_SECRET_MASKING_REGEX":"should not be masked"}'
+    );
+    process.env[LUMIGO_SECRET_MASKING_REGEX] = undefined;
+  });
+
   test('payloadStringify -> truncate after 10B', () => {
     const payload = {
       a: 2,
