Closed P4sca1 closed 4 years ago
Would you have time to send a PR? We are a bit strained in time for the coming weeks and I would love to get this solved sooner than that.
I think the problem happens because we are not passing through redaction when calling child()
.
@mcollina I would like to take this issue
go for it!
@baterson Thank you very much for fixing this!
redact: { paths: ['req.body.password', '*.headers.authorization'], remove: true }
Not sure if this is related or I need to ask this on pino-http repo but setting this redact field like: ` const pino = require('pino'); const pinoHttp = require('pino-http');
const logger = pino({ name: 'abc' });
const expressPino = pinoHttp({ logger, redact: { paths: ['req.body.password', '*.headers.authorization'], remove: true } }) `
doesn't redact the mentioned fields. pino-http accepts redact as an input parameter but still doesn't redact the fields. setting redact option to pino logger initialization works
you need to pass the redact option to the main logger.
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Custom object properties are not redacted. This is especially critical for the
pino-http
package. There thereq
object can't be redacted, so things likereq.headers.authorization
are always exposed to logs.Example code:
Start the app and do a http request:
curl -H "authorization: Bearer test" http://localhost:8000
. You will see that req.headers.authorization is not redacted.What happens is that the
req
object is never passed to log redaction, because it is not passed to the logger functions, but during child logger instantiation: https://github.com/pinojs/pino-http/blob/d593aa6084f1fe70a506ad8f202fc7f339b87fb5/logger.js#L94Would be great if pino would redact custom log properties.