chore: introduce jsmasker to mask sensitive debug logging data.
This commit is contained in:
Bill Church
parent
01e312d701
commit
46338e4f2c
5 changed files with 15 additions and 45 deletions
|
|
@ -6,7 +6,8 @@ const express = require("express")
|
|||
const router = express.Router()
|
||||
const handleConnection = require("./connectionHandler")
|
||||
const basicAuth = require("basic-auth")
|
||||
const { sanitizeObject, validateSshTerm } = require("./utils")
|
||||
const { validateSshTerm } = require("./utils")
|
||||
const maskObject = require('jsmasker');
|
||||
const validator = require("validator")
|
||||
|
||||
function auth(req, res, next) {
|
||||
|
|
@ -63,7 +64,7 @@ router.get("/host/:host", auth, function (req, res) {
|
|||
req.session.usedBasicAuth = true
|
||||
|
||||
// Sanitize and log the sshCredentials object
|
||||
const sanitizedCredentials = sanitizeObject(
|
||||
const sanitizedCredentials = maskObject(
|
||||
JSON.parse(JSON.stringify(req.session.sshCredentials))
|
||||
)
|
||||
debug("/ssh/host/ Credentials: ", sanitizedCredentials)
|
||||
|
|
|
|||
|
|
@ -2,11 +2,12 @@
|
|||
// app/socket.js
|
||||
"use strict"
|
||||
|
||||
var createDebug = require("debug")
|
||||
var debug = createDebug("webssh2:socket")
|
||||
var SSHConnection = require("./ssh")
|
||||
var { sanitizeObject, validateSshTerm } = require("./utils")
|
||||
var validator = require("validator")
|
||||
const createDebug = require("debug")
|
||||
const debug = createDebug("webssh2:socket")
|
||||
const SSHConnection = require("./ssh")
|
||||
const { validateSshTerm } = require("./utils")
|
||||
const maskObject = require('jsmasker');
|
||||
const validator = require("validator")
|
||||
|
||||
module.exports = function (io, config) {
|
||||
io.on("connection", function (socket) {
|
||||
|
|
@ -30,7 +31,7 @@ module.exports = function (io, config) {
|
|||
* @param {Object} config - The configuration object.
|
||||
*/
|
||||
function handleAuthenticate(creds) {
|
||||
debug("handleAuthenticate: " + socket.id + ", %O", sanitizeObject(creds))
|
||||
debug("handleAuthenticate: " + socket.id + ", %O", maskObject(creds))
|
||||
|
||||
if (isValidCredentials(creds)) {
|
||||
sessionState.term = validateSshTerm(creds.term)
|
||||
|
|
@ -65,7 +66,7 @@ module.exports = function (io, config) {
|
|||
", INITIALIZING SSH CONNECTION: Host: " +
|
||||
creds.host +
|
||||
", creds: %O",
|
||||
sanitizeObject(creds)
|
||||
maskObject(creds)
|
||||
)
|
||||
|
||||
ssh
|
||||
|
|
@ -392,7 +393,7 @@ module.exports = function (io, config) {
|
|||
", Host: " +
|
||||
creds.host +
|
||||
": HTTP Basic Credentials Exist, creds: %O",
|
||||
sanitizeObject(creds)
|
||||
maskObject(creds)
|
||||
)
|
||||
handleAuthenticate(creds)
|
||||
} else if (!sessionState.authenticated) {
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
const createDebug = require("debug")
|
||||
const debug = createDebug("webssh2:ssh")
|
||||
const SSH = require("ssh2").Client
|
||||
const { sanitizeObject } = require("./utils")
|
||||
const maskObject = require('jsmasker');
|
||||
|
||||
function SSHConnection(config) {
|
||||
this.config = config
|
||||
|
|
@ -16,7 +16,7 @@ function SSHConnection(config) {
|
|||
SSHConnection.prototype.connect = function(creds) {
|
||||
var self = this
|
||||
return new Promise(function(resolve, reject) {
|
||||
debug("connect: %O", sanitizeObject(creds))
|
||||
debug("connect: %O", maskObject(creds))
|
||||
|
||||
if (self.conn) {
|
||||
self.conn.end()
|
||||
|
|
|
|||
33
app/utils.js
33
app/utils.js
|
|
@ -4,38 +4,6 @@ const validator = require("validator")
|
|||
const createDebug = require("debug")
|
||||
const debug = createDebug("webssh2:utils")
|
||||
|
||||
/**
|
||||
* Sanitizes an object by replacing sensitive properties with asterisks.
|
||||
* @param {Object} obj - The object to sanitize.
|
||||
* @param {Array} [properties=['password', 'key', 'secret', 'token']] - The list of properties to sanitize.
|
||||
* @returns {Object} - The sanitized object.
|
||||
*/
|
||||
function sanitizeObject(
|
||||
obj,
|
||||
properties = ["password", "key", "secret", "token"]
|
||||
) {
|
||||
if (obj && typeof obj === "object") {
|
||||
const copy = Array.isArray(obj) ? [] : Object.assign({}, obj)
|
||||
|
||||
for (const key in obj) {
|
||||
if (obj.hasOwnProperty(key)) {
|
||||
// eslint-disable-line no-prototype-builtins
|
||||
if (properties.includes(key) && typeof obj[key] === "string") {
|
||||
copy[key] = "*".repeat(obj[key].length)
|
||||
} else if (typeof obj[key] === "object") {
|
||||
copy[key] = sanitizeObject(obj[key], properties)
|
||||
} else {
|
||||
copy[key] = obj[key]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return copy
|
||||
}
|
||||
|
||||
return obj
|
||||
}
|
||||
|
||||
/**
|
||||
* Validates the SSH terminal name using validator functions.
|
||||
* Allows alphanumeric characters, hyphens, and periods.
|
||||
|
|
@ -54,5 +22,4 @@ function validateSshTerm(term) {
|
|||
)
|
||||
}
|
||||
|
||||
exports.sanitizeObject = sanitizeObject
|
||||
exports.validateSshTerm = validateSshTerm
|
||||
|
|
|
|||
|
|
@ -39,6 +39,7 @@
|
|||
"express": "^4.14.1",
|
||||
"express-session": "^1.18.0",
|
||||
"express-socket.io-session": "^1.3.5",
|
||||
"jsmasker": "^1.1.2",
|
||||
"read-config-ng": "~3.0.7",
|
||||
"socket.io": "~2.2.0",
|
||||
"ssh2": "~0.8.9",
|
||||
|
|
|
|||
Loading…
Reference in a new issue