Closed nati-mask closed 3 years ago
Seems like a bug, but if we fix it I think is also a breaking change. We're planning a 5.x series, we could fix the inconsistency there. Thoughts?
@bithavoc Thanks for the quick response. To avoid breaking changes, how about adding an explicit boolean option like requestExcludeBody
?
It's not the most consistent or elegant solution, but it would allow to painlessly avoid the issue by just changing line 334 from:
if (req.body !== undefined) {
//...
}
to
if (req.body !== undefined && !options.requestExcludeBody) {
//...
}
That would work, mind including some tests reproducing it and fixing it?
PR is here: #258
Say I want to log the request body most of the times (so I'll add it to the
requestWhitelist
) But I also use therequestFilter
callback option, and there I'll conditionally returnundefined
for thebody
prop (there ARE sensitive bodies!) We can clearly see in those lines: https://github.com/bithavoc/express-winston/blob/32a7747dfd32213b8a316b9c2b09becf8f8c7c29/index.js#L338-L344 That thefilteredBody
will get filled with my unwanted request body props (passing the samerequestFilter
to thefilterObject
in order to filter out body props is pointless, because it was intended to filter request props, not body props) And then, here at those lines: https://github.com/bithavoc/express-winston/blob/32a7747dfd32213b8a316b9c2b09becf8f8c7c29/index.js#L349-L355 ThisfilteredBody
will unconditionally bring back thebody
to my log-request! That's not only contradicts the docs:...There is no exception mentioned for the
body
request value! That's also not aligned with the behavior of theresponseFilter
(which will filter-out the response body) But also, in my opinion, poses a security risk, because people will are using filters to filter out sensitive data. A fast solution could be just add a condition like that:But I don't sure this "patch" is a good idea, because as said, why pass this
requestFilter
to filter body props at all...