mirror of
https://github.com/gristlabs/grist-core.git
synced 2024-09-29 01:30:45 +00:00
90e902c10f
Summary: sanitazing errors output in webhooks to protect users data (not show them in logs and other places). Because redis is returing whole payload when error occur, best approach is to hijack exception as close to redis operation as posible and sanitize the data. We need to know data structure do do this corretly tho. Currently I decided to just censore everything that has "payload" key. Test Plan: Because logs that need to be sanitized come from redis, to be valid tested we should force redis to crash. It's hard to do in our integration test setup. In this moment, unit test is all we got. Reviewers: paulfitz Reviewed By: paulfitz Differential Revision: https://phab.getgrist.com/D3905
70 lines
2.2 KiB
TypeScript
70 lines
2.2 KiB
TypeScript
import {LogSanitizer} from "app/server/utils/LogSanitizer";
|
|
import {assert} from "chai";
|
|
|
|
describe("LogSanitizer", () => {
|
|
|
|
it("should return neutral logs untouched", done => {
|
|
const exampleLog
|
|
= 'DocTriggers: Webhook responded with non-200 status status=404, attempt=1, docId=8x9U6xe4hNz8WaJCzAjDBM,' +
|
|
' queueLength=8, drainingQueue=false, shuttingDown=false, sending=true, redisClient=true';
|
|
const sanitizer = new LogSanitizer();
|
|
const sanitizedLog = sanitizer.sanitize(exampleLog);
|
|
assert.equal(sanitizedLog, exampleLog);
|
|
done();
|
|
});
|
|
|
|
it("should not crashed when empty log was passed to sanitizer", done => {
|
|
const exampleLog = undefined;
|
|
const sanitizer = new LogSanitizer();
|
|
const sanitizedLog = sanitizer.sanitize(exampleLog);
|
|
assert.equal(sanitizedLog, exampleLog);
|
|
done();
|
|
});
|
|
|
|
|
|
|
|
|
|
it("should sanitize redis webhooks rpush logs", done => {
|
|
const exampleLog = {
|
|
command: "RPUSH",
|
|
code: "NR_CLOSED",
|
|
args: [
|
|
"webhook-queue-8x9U6xe4hNz8WaJCzAjDBM",
|
|
// Data send to redis is kept there in string format, therefore in our solution we are stringify them before
|
|
// sending. we know that the payload is a json though, so here we are trying to reproduce that data structure.
|
|
JSON.stringify({
|
|
id: "f3517b07-9846-4fe3-bcb2-d26cc07e40bd",
|
|
payload: {
|
|
id: 355,
|
|
manualSort: 355,
|
|
Name: "Johny",
|
|
InsuranceNumber: "12345"
|
|
}
|
|
}),
|
|
// in thie redis those are json, but send as a strings, so we need to parse them
|
|
JSON.stringify({
|
|
id: "b3091e47-00a0-4614-a58f-cb1ae383ea43",
|
|
payload: {
|
|
id: 355,
|
|
manualSort: 355,
|
|
Name: "Mark",
|
|
InsuranceNumber: "65844"
|
|
}
|
|
})
|
|
]
|
|
};
|
|
|
|
const sanitizer = new LogSanitizer();
|
|
const sanitizedLogObj = sanitizer.sanitize(exampleLog);
|
|
const sanitizedLog = JSON.stringify(sanitizedLogObj);
|
|
|
|
// tests on stringify object, to make it fast to search in.
|
|
assert.isTrue(sanitizedLog.includes("[sanitized]"));
|
|
assert.isFalse(sanitizedLog.includes("InsuranceNumber"));
|
|
assert.isFalse(sanitizedLog.includes("Name"));
|
|
|
|
done();
|
|
});
|
|
|
|
});
|