From 34513eb37ef25d8deab3b79a6b72d1d087fe9588 Mon Sep 17 00:00:00 2001 From: James Lamont <958588+jylamont@users.noreply.github.com> Date: Mon, 24 Feb 2025 11:07:00 -0500 Subject: [PATCH] bug: Fixed tracking api key leaking in logs --- lib/vero/http_client.rb | 2 +- lib/vero/sender.rb | 2 +- lib/vero/senders/base.rb | 2 +- lib/vero/utility/logger.rb | 25 ++++++++++++++++++++++++- lib/vero/workers/resque_worker.rb | 2 +- lib/vero/workers/sidekiq_worker.rb | 2 +- lib/vero/workers/sucker_punch_worker.rb | 2 +- 7 files changed, 30 insertions(+), 7 deletions(-) diff --git a/lib/vero/http_client.rb b/lib/vero/http_client.rb index 9031ebe..604e979 100644 --- a/lib/vero/http_client.rb +++ b/lib/vero/http_client.rb @@ -45,7 +45,7 @@ def log_request(params, body) log_params = params.dup if log_params.key?(:payload) - log_params[:payload] = body.merge(tracking_api_key: "[FILTERED]").to_json + log_params[:payload] = Vero::App.sanitize_log_payload(body).to_json end @logger.info("Request: #{log_params.inspect}") diff --git a/lib/vero/sender.rb b/lib/vero/sender.rb index c213226..22037c1 100644 --- a/lib/vero/sender.rb +++ b/lib/vero/sender.rb @@ -10,7 +10,7 @@ def self.call(api_class, sender_strategy, domain, options) sender = senders[sender_strategy].new sender.call(api_class, domain, options) rescue => e - Vero::App.log(new, "method: #{api_class.name}, options: #{JSON.dump(options)}, error: #{e.message}") + Vero::App.log_api_call(api_class.name, options, e.message) raise e end diff --git a/lib/vero/senders/base.rb b/lib/vero/senders/base.rb index 50a6372..cb5fe21 100644 --- a/lib/vero/senders/base.rb +++ b/lib/vero/senders/base.rb @@ -5,7 +5,7 @@ def call(api_class, domain, options) api_class = get_api_class(api_class) resp = enqueue_work(api_class, domain, options) - Vero::App.log(self, "method: #{api_class.name}, options: #{JSON.dump(options)}, response: #{log_message}") + Vero::App.log_api_call(api_class.name, options, log_message) resp end diff --git a/lib/vero/utility/logger.rb b/lib/vero/utility/logger.rb index 796cca3..dc4094b 100644 --- a/lib/vero/utility/logger.rb +++ b/lib/vero/utility/logger.rb @@ -1,6 +1,8 @@ # frozen_string_literal: true module Vero::Utility::Logger + FILTER_STRING = "[FILTERED]" + def self.included(base) base.extend(ClassMethods) end @@ -9,7 +11,14 @@ module ClassMethods def log(object, message) return unless Vero::App.default_context.config.logging && !defined?(RSpec) - message = "#{object.class.name}: #{message}" + prefix = case object + when String + object + else + object.class.name + end + + message = "#{prefix}: #{message}" if (logger = self.logger) logger.info(message) @@ -18,6 +27,20 @@ def log(object, message) end end + def log_api_call(api_class, options, msg) + log(api_class, "params: #{sanitize_log_payload(options).to_json}, response: #{msg}") + end + + def sanitize_log_payload(payload) + if payload.key?(:tracking_api_key) + payload.merge(tracking_api_key: FILTER_STRING) + elsif payload.key?("tracking_api_key") + payload.merge("tracking_api_key" => FILTER_STRING) + else + payload + end + end + def logger Rails.logger if defined?(Rails) end diff --git a/lib/vero/workers/resque_worker.rb b/lib/vero/workers/resque_worker.rb index 0e12371..41566a2 100644 --- a/lib/vero/workers/resque_worker.rb +++ b/lib/vero/workers/resque_worker.rb @@ -8,6 +8,6 @@ class Vero::ResqueWorker def self.perform(api_class, domain, options) Vero::Senders::Base.new.call(api_class, domain, options) rescue => e - Vero::App.log(self, "method: #{api_class}, options: #{options.to_json}, response: #{e.message}") + Vero::App.log_api_call(api_class, options, e.message) end end diff --git a/lib/vero/workers/sidekiq_worker.rb b/lib/vero/workers/sidekiq_worker.rb index 81107fb..dbb08f9 100644 --- a/lib/vero/workers/sidekiq_worker.rb +++ b/lib/vero/workers/sidekiq_worker.rb @@ -8,6 +8,6 @@ class Vero::SidekiqWorker def perform(api_class, domain, options) Vero::Senders::Base.new.call(api_class, domain, options) rescue => e - Vero::App.log(self, "method: #{api_class}, options: #{options.to_json}, response: #{e.message}") + Vero::App.log_api_call(api_class, options, e.message) end end diff --git a/lib/vero/workers/sucker_punch_worker.rb b/lib/vero/workers/sucker_punch_worker.rb index 2049cb0..ad78114 100644 --- a/lib/vero/workers/sucker_punch_worker.rb +++ b/lib/vero/workers/sucker_punch_worker.rb @@ -8,6 +8,6 @@ class Vero::SuckerPunchWorker def perform(api_class, domain, options) Vero::Senders::Base.new.call(api_class, domain, options) rescue => e - Vero::App.log(self, "method: #{api_class}, options: #{options.to_json}, response: #{e.message}") + Vero::App.log_api_call(api_class, options, e.message) end end