NH-16920-Mask-Logged-Service-Key-when-Invalid

solarwinds / appoptics-apm-node

AppOptics APM Instrumentation Agent for Node.js

Apache License 2.0

11 stars 9 forks source link

NH-16920-Mask-Logged-Service-Key-when-Invalid #284

Closed ronilan closed 2 years ago

ronilan commented 2 years ago

Overview

This pull request changes logging code so that it masks a service key output in the logged error even if the input value itself is not a valid service key.

Status

When user is providing an invalid service key, application logs will contain what was provided as-is. An invalid service key may still expose a valid and usable token or part thereof.

Change

Always mask the service key provided.

Note

Pull Request merges into nh-main. Agent built from master will stay unchanged.

jerrytfleung commented 2 years ago

@ronilan code looks good to me.

@cheempz Is it the idea for agent has its own understanding of service key masking? Although Python, PHP, Node are doing similar masking by .... They have different behavior for edge cases.