Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Bug: Masking the password only if it is not the last key-value pair.

See original GitHub issue

Describe the bug TSLog masks password only if it is not the last value in the json.

To Reproduce Steps to reproduce the behavior:

mkdir tslogBugReplace
cd tslogBugReplace
npm init -y
npm i tslog
Open directory with your favourite text editor and create index.js
Run the following code:

const { Logger } = require('tslog');
let log = new Logger();

log.info({ password: 'topsecret', user: 'test'});
// password is masked.

log.info({ user: 'test', password: 'topsecret' });
// password is not masked!

log.info({ user: 'test', password: 'topsecret', iWillMask: 'Because I exist' });
// Whew! It's masked again.
// Hint: util.inspect() does not add a comma after the last key in json.

// In the following example:
// Keys do not include password. 
// Only values have the keyword 'password' (case insensitive).
log.info({ 
  errorCode: 'WrongPasswordOrEmail', 
  message: 'Email or Password is wrong! Password, password, password!',
  anyKey: 'any value' // removing this key will result in unmasked message.
});

node index.js or you can also see the screenshot below.

Expected behavior Password should be masked regardless of the comma at the end when it was serialized for replacement with the mask string.

Screenshots

Additional context I have seen the code for replacing the value of the key is using inspect from util library. A simple regex matching for every key-value pair is a bit hard to write. I am currently working on a depth first search approach, where each property is visited and modified then copied to a clone until a cycle is encountered. Finally I would call util.inpect() on the clone as well, and modify the result for pretty printing.

Issue Analytics

State:
Created 3 years ago
Reactions:1
Comments:5 (4 by maintainers)

Top GitHub Comments

1reaction

terehovcommented, Aug 9, 2020

Well caught.

Another patch is on its way. Should look like this:

It’s also invalid json because of the repeated key.

Btw. it’s not JSON anyways. JSON is a very limited representation of JS and many types are missing (e.g. BigInt). From the documentation:

The util.inspect() method returns a string representation of object that is intended for debugging. The output of util.inspect may change at any time and should not be depended upon programmatically.

util.inspect(object[, options])

1reaction

terehovcommented, Aug 9, 2020

I have released a new version 2.6.4 that addresses this issue. Finally, there was only one question mark (?) missing in the RegEx. Thanks for pointing that out. Additionally, your screenshot indicated another problem with that RegEx that I also resolved. Your output should now look like this:

I am currently working on a depth first search approach, where each property is visited and modified then copied to a clone until a cycle is encountered. Finally I would call util.inpect() on the clone as well, and modify the result for pretty printing.

I understand your point, however, masking happens for each and every log message and running a recursive search would lead to lower performance. util.inspect is quite optimized when used once.