Redaction should recurse into arrays (#87)

elastic · Mar 7, 2024 · 4ebb9d9 · 4ebb9d9
1 parent fde45c1
commit 4ebb9d9
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 8 deletions.
diff --git a/src/security.ts b/src/security.ts
@@ -45,15 +45,20 @@ export function redactObject (obj: Record<string, any>, additionalKeys: string[]
         value = `${value.origin}${value.pathname}${value.search}`
       }
 
-      if (typeof value === 'object' && !Array.isArray(value) && value !== null) {
-        if (seen.get(value) !== true) {
-          // if this Object hasn't been seen, recursively redact it
-          seen.set(value, true)
-          value = doRedact(value)
+      if (typeof value === 'object' && value !== null) {
+        if (Array.isArray(value)) {
+          // if it's an array, redact each item
+          value = value.map(v => doRedact(v))
         } else {
-          // if it has been seen, set the value that goes in newObj to null
-          // this is what prevents the circular references
-          value = null
+          if (seen.get(value) !== true) {
+            // if this Object hasn't been seen, recursively redact it
+            seen.set(value, true)
+            value = doRedact(value)
+          } else {
+            // if it has been seen, set the value that goes in newObj to null
+            // this is what prevents the circular references
+            value = null
+          }
         }
       }
 

diff --git a/test/unit/security.test.ts b/test/unit/security.test.ts
@@ -192,5 +192,18 @@ test('redactObject', t => {
     t.equal(result.url, 'http://foo.com/path/to/endpoint?query=true')
   })
 
+  t.test('properly recurses into arrays', t => {
+    t.plan(2)
+    const result = redactObject({
+      foo: [
+        { authorization: 'foo' },
+        { password: 'bar' },
+      ]
+    })
+
+    t.notMatch(result.foo[0].authorization, 'foo')
+    t.notMatch(result.foo[1].password, 'bar')
+  })
+
   t.end()
 })