From b1d28759110f91b37746f9b88aba92bf52df2fcc Mon Sep 17 00:00:00 2001 From: Daniel Bankhead Date: Tue, 2 Apr 2024 16:18:07 -0700 Subject: [PATCH 1/2] feat: Enhance Error Redaction (#609) * feat: Enhance Error Redaction * docs: DLP remarks * chore(deps): Pin `karma-webpack` --- README.md | 6 ++++++ package.json | 2 +- src/common.ts | 30 +++++++++++++++++++++++++++++- test/test.getch.ts | 12 ++++++++++-- 4 files changed, 46 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 2b9b0c59..bd7b905d 100644 --- a/README.md +++ b/README.md @@ -160,6 +160,12 @@ over other authentication methods, i.e., application default credentials. * * Set `false` to disable. * + * @remarks + * + * This does not replace the requirement for an active Data Loss Prevention (DLP) provider. For DLP suggestions, see: + * - https://cloud.google.com/sensitive-data-protection/docs/redacting-sensitive-data#dlp_deidentify_replace_infotype-nodejs + * - https://cloud.google.com/sensitive-data-protection/docs/infotypes-reference#credentials_and_secrets + * * @experimental */ errorRedactor?: typeof defaultErrorRedactor | false; diff --git a/package.json b/package.json index 18315732..c9cc63e4 100644 --- a/package.json +++ b/package.json @@ -68,7 +68,7 @@ "karma-mocha": "^2.0.0", "karma-remap-coverage": "^0.1.5", "karma-sourcemap-loader": "^0.4.0", - "karma-webpack": "^5.0.0", + "karma-webpack": "5.0.0", "linkinator": "^4.0.0", "mocha": "^8.0.0", "multiparty": "^4.2.1", diff --git a/src/common.ts b/src/common.ts index 9e45657b..cbeaf3b2 100644 --- a/src/common.ts +++ b/src/common.ts @@ -209,6 +209,12 @@ export interface GaxiosOptions { /** * An experimental error redactor. * + * @remarks + * + * This does not replace the requirement for an active Data Loss Prevention (DLP) provider. For DLP suggestions, see: + * - https://cloud.google.com/sensitive-data-protection/docs/redacting-sensitive-data#dlp_deidentify_replace_infotype-nodejs + * - https://cloud.google.com/sensitive-data-protection/docs/infotypes-reference#credentials_and_secrets + * * @experimental */ errorRedactor?: typeof defaultErrorRedactor | false; @@ -359,6 +365,16 @@ export function defaultErrorRedactor(data: { if (/^authentication$/.test(key)) { headers[key] = REDACT; } + + // any casing of `Authorization` + if (/^authorization$/.test(key)) { + headers[key] = REDACT; + } + + // anything containing secret, such as 'client secret' + if (/secret/.test(key)) { + headers[key] = REDACT; + } } } @@ -370,7 +386,11 @@ export function defaultErrorRedactor(data: { ) { const text = obj[key]; - if (/grant_type=/.test(text) || /assertion=/.test(text)) { + if ( + /grant_type=/.test(text) || + /assertion=/.test(text) || + /secret/.test(text) + ) { obj[key] = REDACT; } } @@ -385,6 +405,10 @@ export function defaultErrorRedactor(data: { if ('assertion' in obj) { obj['assertion'] = REDACT; } + + if ('client_secret' in obj) { + obj['client_secret'] = REDACT; + } } } @@ -404,6 +428,10 @@ export function defaultErrorRedactor(data: { url.searchParams.set('token', REDACT); } + if (url.searchParams.has('client_secret')) { + url.searchParams.set('client_secret', REDACT); + } + data.config.url = url.toString(); } catch { // ignore error - no need to parse an invalid URL diff --git a/test/test.getch.ts b/test/test.getch.ts index f6dc67ef..6f26f2b8 100644 --- a/test/test.getch.ts +++ b/test/test.getch.ts @@ -704,11 +704,13 @@ describe('🎏 data handling', () => { const customURL = new URL(url); customURL.searchParams.append('token', 'sensitive'); + customURL.searchParams.append('client_secret', 'data'); customURL.searchParams.append('random', 'non-sensitive'); const config: GaxiosOptions = { headers: { authentication: 'My Auth', + authorization: 'My Auth', 'content-type': 'application/x-www-form-urlencoded', random: 'data', }, @@ -716,8 +718,9 @@ describe('🎏 data handling', () => { grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer', assertion: 'somesensitivedata', unrelated: 'data', + client_secret: 'data', }, - body: 'grant_type=somesensitivedata&assertion=somesensitivedata', + body: 'grant_type=somesensitivedata&assertion=somesensitivedata&client_secret=data', }; // simulate JSON response @@ -756,6 +759,7 @@ describe('🎏 data handling', () => { assert.deepStrictEqual(e.config.headers, { ...config.headers, // non-redactables should be present authentication: REDACT, + authorization: REDACT, }); // config redactions - data @@ -763,6 +767,7 @@ describe('🎏 data handling', () => { ...config.data, // non-redactables should be present grant_type: REDACT, assertion: REDACT, + client_secret: REDACT, }); // config redactions - body @@ -773,6 +778,7 @@ describe('🎏 data handling', () => { const resultURL = new URL(e.config.url); assert.notDeepStrictEqual(resultURL.toString(), customURL.toString()); customURL.searchParams.set('token', REDACT); + customURL.searchParams.set('client_secret', REDACT); assert.deepStrictEqual(resultURL.toString(), customURL.toString()); // response redactions @@ -781,11 +787,13 @@ describe('🎏 data handling', () => { assert.deepStrictEqual(e.response.headers, { ...responseHeaders, // non-redactables should be present authentication: REDACT, + authorization: REDACT, }); assert.deepStrictEqual(e.response.data, { ...response, // non-redactables should be present - grant_type: REDACT, assertion: REDACT, + client_secret: REDACT, + grant_type: REDACT, }); } finally { scope.done(); From 696246c9e66998ce3fde0a55c7a90494e721cbe5 Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Wed, 3 Apr 2024 01:22:16 +0200 Subject: [PATCH 2/2] chore(deps): update dependency tmp to v0.2.3 (#607) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [tmp](https://togithub.com/raszi/node-tmp) | [`0.2.1` -> `0.2.3`](https://renovatebot.com/diffs/npm/tmp/0.2.1/0.2.3) | [![age](https://developer.mend.io/api/mc/badges/age/npm/tmp/0.2.3?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/tmp/0.2.3?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/tmp/0.2.1/0.2.3?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/tmp/0.2.1/0.2.3?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes
raszi/node-tmp (tmp) ### [`v0.2.3`](https://togithub.com/raszi/node-tmp/compare/v0.2.2...v0.2.3) [Compare Source](https://togithub.com/raszi/node-tmp/compare/v0.2.2...v0.2.3) ### [`v0.2.2`](https://togithub.com/raszi/node-tmp/blob/HEAD/CHANGELOG.md#v022-2024-02-28) [Compare Source](https://togithub.com/raszi/node-tmp/compare/v0.2.1...v0.2.2) ##### :bug: Bug Fix - [#​278](https://togithub.com/raszi/node-tmp/pull/278) Closes [#​268](https://togithub.com/raszi/node-tmp/issues/268): Revert "fix [#​246](https://togithub.com/raszi/node-tmp/issues/246): remove any double quotes or single quotes… ([@​mbargiel](https://togithub.com/mbargiel)) ##### :memo: Documentation - [#​279](https://togithub.com/raszi/node-tmp/pull/279) Closes [#​266](https://togithub.com/raszi/node-tmp/issues/266): move paragraph on graceful cleanup to the head of the documentation ([@​silkentrance](https://togithub.com/silkentrance)) ##### Committers: 5 - Carsten Klein ([@​silkentrance](https://togithub.com/silkentrance)) - Dave Nicolson ([@​dnicolson](https://togithub.com/dnicolson)) - KARASZI IstvΓ‘n ([@​raszi](https://togithub.com/raszi)) - Maxime Bargiel ([@​mbargiel](https://togithub.com/mbargiel)) - [@​robertoaceves](https://togithub.com/robertoaceves)
--- ### Configuration πŸ“… **Schedule**: Branch creation - "after 9am and before 3pm" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/googleapis/gaxios). --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index c9cc63e4..969c82f5 100644 --- a/package.json +++ b/package.json @@ -79,7 +79,7 @@ "puppeteer": "^21.0.0", "sinon": "^17.0.0", "stream-browserify": "^3.0.0", - "tmp": "0.2.1", + "tmp": "0.2.3", "ts-loader": "^8.0.0", "typescript": "^5.1.6", "uuid": "^9.0.0",