Skip to content

Commit

Permalink
Merge pull request #920 from snyk/fix/broker-token-logged-plaintext
Browse files Browse the repository at this point in the history 
Fix/broker token logged plaintext
  • Loading branch information
@shuaibmunshi
shuaibmunshi authored Feb 13, 2025
2 parents 0a3cb61 + 1efc9ae commit b0cfa0f
Show file tree
Hide file tree
Showing 3 changed files with 45 additions and 10 deletions.
2 changes: 1 addition & 1 deletion README.npm.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -293,7 +293,7 @@ Public filters are for requests that are received on your broker client and are

- The broker requires at least [email protected]
- Broker clients are *uniquely* identified (i.e. the same ID can't be used twice)
- If your private service is using an unrecognized certificate, you will need to supply a Certificate Authority file and add the following environment value when runnning the client: `CA_CERT=ca.cert.pem` - Client will load your CA certificate and use it for requests to your internal service
- If your private service is using an unrecognized certificate, you will need to supply a Certificate Authority file and add the following environment value when running the client: `CA_CERT=ca.cert.pem` - Client will load your CA certificate and use it for requests to your internal service

## License

Expand Down
51 changes: 43 additions & 8 deletions lib/hybrid-sdk/http/request.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import { log as logger } from '../../logs/logger';
import { PostFilterPreparedRequest } from '../../common/relay/prepareRequest';
import { getConfig } from '../../common/config/config';
import { switchToInsecure } from './utils';
import { maskToken, extractBrokerTokenFromUrl } from '../../common/utils/token';
export interface HttpResponse {
headers: Object;
statusCode: number | undefined;
Expand Down Expand Up @@ -65,13 +66,23 @@ export const makeRequestToDownstream = async (
response.statusCode >= 200 &&
response.statusCode < 300
) {
const brokerToken = extractBrokerTokenFromUrl(localRequest.url);
const maskedToken = maskToken(brokerToken);
logger.trace(
{ statusCode: response.statusCode, url: localRequest.url },
{
statusCode: response.statusCode,
url: localRequest.url.replaceAll(brokerToken, maskedToken),
},
`Successful request`,
);
} else {
const brokerToken = extractBrokerTokenFromUrl(localRequest.url);
const maskedToken = maskToken(brokerToken);
logger.debug(
{ statusCode: response.statusCode, url: localRequest.url },
{
statusCode: response.statusCode,
url: localRequest.url.replaceAll(brokerToken, maskedToken),
},
`Non 2xx HTTP Code Received`,
);
}
Expand Down Expand Up @@ -103,16 +114,26 @@ export const makeRequestToDownstream = async (
// An error occurred while fetching.
request.on('error', (error) => {
if (retries > 0) {
const brokerToken = extractBrokerTokenFromUrl(localRequest.url);
const maskedToken = maskToken(brokerToken);
logger.warn(
{ url: localRequest.url, err: error },
{
url: localRequest.url.replaceAll(brokerToken, maskedToken),
err: error,
},
`Request failed. Retrying after 500ms...`,
);
setTimeout(() => {
resolve(makeRequestToDownstream(localRequest, retries - 1));
}, 500); // Wait for 0.5 second before retrying
} else {
const brokerToken = extractBrokerTokenFromUrl(localRequest.url);
const maskedToken = maskToken(brokerToken);
logger.error(
{ url: localRequest.url, err: error },
{
url: localRequest.url.replaceAll(brokerToken, maskedToken),
err: error,
},
`Error making streaming request to downstream. Giving up after ${MAX_RETRY} retries.`,
);
reject(error);
Expand Down Expand Up @@ -162,19 +183,23 @@ export const makeStreamingRequestToDownstream = (
response.statusCode >= 200 &&
response.statusCode < 300
) {
const brokerToken = extractBrokerTokenFromUrl(localRequest.url);
const maskedToken = maskToken(brokerToken);
logger.info(
{
statusCode: response.statusCode,
url: localRequest.url,
url: localRequest.url.replaceAll(brokerToken, maskedToken),
headers: config.LOG_INFO_VERBOSE ? response.headers : {},
},
`Successful downstream request`,
);
} else {
const brokerToken = extractBrokerTokenFromUrl(localRequest.url);
const maskedToken = maskToken(brokerToken);
logger.warn(
{
statusCode: response.statusCode,
url: localRequest.url,
url: localRequest.url.replaceAll(brokerToken, maskedToken),
headers: response.headers,
},
`Non 2xx HTTP Code Received`,
Expand Down Expand Up @@ -206,8 +231,13 @@ export const makeStreamingRequestToDownstream = (
);
request.on('error', (error) => {
if (retries > 0) {
const brokerToken = extractBrokerTokenFromUrl(req.url);
const maskedToken = maskToken(brokerToken);
logger.warn(
{ url: req.url, err: error },
{
url: req.url.replaceAll(brokerToken, maskedToken),
err: error,
},
`Request failed. Retrying after 500ms...`,
);
setTimeout(() => {
Expand All @@ -216,8 +246,13 @@ export const makeStreamingRequestToDownstream = (
);
}, 500); // Wait for 0.5 second before retrying
} else {
const brokerToken = extractBrokerTokenFromUrl(localRequest.url);
const maskedToken = maskToken(brokerToken);
logger.error(
{ url: localRequest.url, err: error },
{
url: localRequest.url.replaceAll(brokerToken, maskedToken),
err: error,
},
`Error making request to downstream. Giving up after ${MAX_RETRY} retries.`,
);
reject(error);
Expand Down
2 changes: 1 addition & 1 deletion tsconfig.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"compilerOptions": {
"target": "es2019",
"target": "es2021",
"module": "NodeNext",
"allowJs": true,
"sourceMap": true,
Expand Down

0 comments on commit b0cfa0f

Please sign in to comment.