Ensure sensitive details are never logged via CallStack

pulsar-edit / package-backend

Pulsar Server Backend for Packages

https://api.pulsar-edit.dev

MIT License

11 stars 11 forks source link

Ensure sensitive details are never logged via CallStack #247

Closed confused-Techie closed 3 months ago

confused-Techie commented 4 months ago

Requirements

Filling out the template is required.
All new code requires tests to ensure against regressions.
- However, if your PR contains zero code changes, feel free to select the checkmark below to indicate so.
[X] Have you ran tests against this code?
[ ] This PR contains zero code changes.

Description of the Change

This PR adds much more logic to ensure sensitive details are never logged via CallStack.

meadowsys commented 4 months ago

actually thought... there are likely purpose built libraries that search/mask strings for all sorts of tokens, perhaps that would be better for us to build CallStack on top of?

confused-Techie commented 4 months ago

@Meadowsys I do like your idea for finding something that can be used here, which I was able to find hide-secrets on NPM, which does essentially what we already are doing with less flexibility (as far as I can tell), so maybe we can just grab the extra list of items they check for and add them here.

The other thing I'd be interested in is finding the source of whatever GitHub Actions uses for this exact same purpose, since I know GitHub has a partner program with a much longer list, so I wonder if that code is public

confused-Techie commented 4 months ago

@Meadowsys I've gone ahead and implemented your suggestions if there's anything else you spot