Masking properties of a serialized object

serilog-contrib / Serilog.Enrichers.Sensitive

A Serilog LogEvent enricher that masks sensitive data

MIT License

111 stars 23 forks source link

Masking properties of a serialized object #15

Closed forrestab closed 1 year ago

forrestab commented 1 year ago

We have a requirement to log the response body of each api request. There are a couple of fields in the response that are considered sensitive and need to be masked. I tried using options.MaskProperties, but that didn't seem to work and looks to be more for the placeholders in a message template.

Would something like this be achievable with this package? I considered creating a custom operator and using a combination of JsonPath to search and JsonPatch to replace, but not sure thats the best approach. Am I missing any combination of provide options?

Thanks.

sandermvanvliet commented 1 year ago

Can you give me an example of what the log message would look like?

If I understand it correctly you want to do something like:

logger.Information(“Response body: {Response}”, serialisedResponseAsJson);

and the serialised response as:

{
   “prop”: “super sensitive stuff”
}

with the result being that “super sensitive stuff” is masked?

forrestab commented 1 year ago

Yes except we are using serilog to do the serializing, i.e.

logger.Information("Response body: {@Response}", response);

sandermvanvliet commented 1 year ago

Ah right, so you're using destructured objects. In that case masking should work actually as you can see in this test: WhenMaskingDestructredObject

sandermvanvliet commented 1 year ago

Ok so I've added a test to specifically check for this use case, see here and that seems to work fine.

If you're seeing different results, could you create a repro case for me so that I can investigate?

forrestab commented 1 year ago

Im sorry I should have given you more information. You are correct masking does occur in destructured objects, but not in arrays.

I following sample is what Im trying to log and mask properties from:

{
    "items": [
        {
            "contactInfo": {
                "primary": {
                    "ssn": 0
                }
            }
        }
    ],
    "currentPage": 1
}

Im able to mask currentPage, but unable to mask ssn in the above json.

However, if the object is not in an array, the ssn property is masked correctly. Ive also tried returning just an array of account objects and the ssn property was not masked. So it seems something doesn't like arrays.

sandermvanvliet commented 1 year ago

Thanks for the repro case. Let me have a quick look, shouldn’t be difficult to address this 👍

sandermvanvliet commented 1 year ago

That was indeed not very difficult, it's now released as 1.5.0 and should be available through NuGet shortly after it has updated its index.

forrestab commented 1 year ago

Thank you, this is working perfectly!