Potential fix for code scanning alert no. 62: Clear-text logging of sensitive information#55
Merged
Potential fix for code scanning alert no. 62: Clear-text logging of sensitive information#55
Conversation
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
…ensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Fix OAuth2 message sanitizing
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Potential fix for https://github.com/unfoldedcircle/integration-node-library/security/code-scanning/62
At a high level, the fix is to avoid logging sensitive values in clear text. Since
#log_json_messageis a generic helper used for all message types, the best approach is to centralize redaction there: before stringifying the JSON, sanitize known sensitive fields (particularly the OAuth2-related ones) so that tokens, token IDs and similar secrets are replaced with placeholders. That way, we keep the useful structural logging (message kind, IDs, non-sensitive attributes) without risking credential leakage, and we avoid having to special-case every call site.Concretely, within
index.ts, we should update#log_json_messageso it:jsonobject to avoid mutating the original payload being sent/processed.filterBase64Imageson the clone.token,access_token,refresh_token,id_token,authorization_code, and similar fields when they appear in:msg_data.token(forCreateOauth2Cfgetc., wheretoken: api.Oauth2Tokenis passed).msg_data.token_id.token,token_id, or nested underoauth/credentialsobjects, to be robust.Because we must not assume unshown files, the redaction logic should be implemented inline in
index.tsas a small helper inside#log_json_message(or immediately above it) using plain TypeScript/JavaScript and no new imports. We do not need to touchlib/utils.ts; it already only handles base64 images and is not responsible for secrets.We will therefore modify the
#log_json_messagemethod inindex.ts(around lines 485–500) to introduce asanitizeForLoggingstep that performs a shallow clone and recursive redaction of common secret-looking keys, and then logsanitizeForLogging(filterBase64Images(clone)). This single change will address all four variants of the alert because every affected request uses#sendRequest, which in turn calls#log_json_message.Suggested fixes powered by Copilot Autofix. Review carefully before merging.