Skip to content

Commit b9f7bae

Browse files
fix: RD-13882-LUMIGO_SECRET_MASKING_-envs-are-still-masked-in-spans (#521)
* feat: lumigo secret env variable not masking
1 parent 6791653 commit b9f7bae

File tree

3 files changed

+46
-0
lines changed

3 files changed

+46
-0
lines changed

src/utils.ts

+1
Original file line numberDiff line numberDiff line change
@@ -70,6 +70,7 @@ export const BYPASS_MASKING_KEYS = [
7070
LUMIGO_SECRET_MASKING_REGEX_ENVIRONMENT,
7171
LUMIGO_SECRET_MASKING_REGEX_HTTP_QUERY_PARAMS,
7272
LUMIGO_SECRET_MASKING_EXACT_PATH,
73+
LUMIGO_SECRET_MASKING_DEBUG,
7374
];
7475

7576
export const LUMIGO_EVENT_KEY = '_lumigo';

src/utils/payloadStringify.js

+2
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,7 @@ const keyToRegexes = (
5252
const regexes =
5353
tryParseEnvVar(backwardCompRegexEnvVarName) || tryParseEnvVar(regexesEnvVarName) || regexesList;
5454

55+
logSecretMaskingDebug(logger, 'Parsed regexes', { regexes });
5556
try {
5657
return regexes.map((x) => new RegExp(x, 'i'));
5758
} catch (e) {
@@ -229,6 +230,7 @@ export const payloadStringify = (
229230
if (totalSize < maxPayloadSize) {
230231
if (
231232
!shouldSkipSecretScrub &&
233+
!BYPASS_MASKING_KEYS.includes(key) &&
232234
!keyContainsRegex(whitelistRegexes, key) &&
233235
keyContainsRegex(secretsRegexes, key)
234236
) {

src/utils/payloadStringify.test.js

+43
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,12 @@ import {
77
LUMIGO_SECRET_MASKING_REGEX_BACKWARD_COMP,
88
LUMIGO_SECRET_MASKING_REGEX_HTTP_REQUEST_BODIES,
99
LUMIGO_WHITELIST_KEYS_REGEXES,
10+
LUMIGO_SECRET_MASKING_REGEX_HTTP_REQUEST_HEADERS,
11+
LUMIGO_SECRET_MASKING_REGEX_HTTP_RESPONSE_BODIES,
12+
LUMIGO_SECRET_MASKING_REGEX_HTTP_RESPONSE_HEADERS,
13+
LUMIGO_SECRET_MASKING_REGEX_ENVIRONMENT,
14+
LUMIGO_SECRET_MASKING_REGEX_HTTP_QUERY_PARAMS,
15+
LUMIGO_SECRET_MASKING_DEBUG,
1016
} from '../utils';
1117
import { keyToOmitRegexes, payloadStringify, shallowMask, truncate } from './payloadStringify';
1218
import { ConsoleWritesForTesting } from '../../testUtils/consoleMocker';
@@ -108,6 +114,43 @@ describe('payloadStringify', () => {
108114
expect(result).toEqual('{"a":2,"password":"****"}');
109115
});
110116

117+
test.each(
118+
[
119+
LUMIGO_SECRET_MASKING_REGEX,
120+
LUMIGO_SECRET_MASKING_REGEX_BACKWARD_COMP,
121+
LUMIGO_SECRET_MASKING_REGEX_HTTP_REQUEST_BODIES,
122+
LUMIGO_SECRET_MASKING_REGEX_HTTP_REQUEST_HEADERS,
123+
LUMIGO_SECRET_MASKING_REGEX_HTTP_RESPONSE_BODIES,
124+
LUMIGO_SECRET_MASKING_REGEX_HTTP_RESPONSE_HEADERS,
125+
LUMIGO_SECRET_MASKING_REGEX_ENVIRONMENT,
126+
LUMIGO_SECRET_MASKING_REGEX_HTTP_QUERY_PARAMS,
127+
LUMIGO_SECRET_MASKING_EXACT_PATH,
128+
LUMIGO_SECRET_MASKING_DEBUG,
129+
],
130+
'payloadStringify -> should not mask masking the env-var %s',
131+
(envVar) => {
132+
const someValue = 'a';
133+
134+
expect(payloadStringify({ [envVar]: someValue })).toEqual(`{"${env}":"${someValue}"}`);
135+
}
136+
);
137+
138+
test('payloadStringify -> LUMIGO_SECRET_MASKING_REGEX', () => {
139+
process.env[LUMIGO_SECRET_MASKING_REGEX] = JSON.stringify(['.*masking.*']);
140+
const payload = {
141+
a: 2,
142+
aMaskingB: 'CoolPass35',
143+
LUMIGO_SECRET_MASKING_REGEX: 'should not be masked',
144+
};
145+
146+
const result = payloadStringify(payload);
147+
148+
expect(result).toEqual(
149+
'{"a":2,"aMaskingB":"****","LUMIGO_SECRET_MASKING_REGEX":"should not be masked"}'
150+
);
151+
process.env[LUMIGO_SECRET_MASKING_REGEX] = undefined;
152+
});
153+
111154
test('payloadStringify -> truncate after 10B', () => {
112155
const payload = {
113156
a: 2,

0 commit comments

Comments
 (0)