Giter VIP home page Giter VIP logo

sensitive-param-filter's Introduction

Sensitive Param Filter

Build Status

sensitive-param-filter is a zero-dependency package designed to filter sensitive values from JavaScript objects. This package can be used to scrub logs, filer data before outputting to a UI, etc. The defaults provided with sensitive-param-filter should work well for most applications.

Installation

Install sensitive-param-filter to your project via either npm:

npm install @amaabca/sensitive-param-filter

or yarn:

yarn add @amaabca/sensitive-param-filter

Usage

const { SensitiveParamFilter } = require('@amaabca/sensitive-param-filter')
const paramFilter = new SensitiveParamFilter()
const rawObject = {
  Authorization: 'Bearer somedatatoken',
  body: {
    info: '{ "amount": 28.64, "credit_card": "4242424242424242", "cvv": "123" }'
  },
  method: 'POST',
  url: 'https://pay.example.com?user=bob.bobbington&password=asecurepassword1234'
}
const filteredObject = paramFilter.filter(rawObject)
// filteredObject = {
//   Authorization: 'FILTERED',
//   body: {
//     info: '{ "amount": 28.64, "credit_card": "FILTERED", "cvv": "FILTERED" }'
//   },
//   method: 'POST',
//   url: 'https://pay.example.com?user=bob.bobbington&password=FILTERED'
// }

Details

sensitive-param-filter examines keys to determine which values to filter. Key matching is done in a case-insensitive, partial-macthing manner (that is, if the param AUTH is provided, Authorization, AUTHENTICATION, etc. will be filtered).

Key Features

  • Does not modify input objects
  • Performs a deep copy of the input object (note that booleans, numbers, and strings - which are immutable - are technically copied by reference)
  • Can be configued to filter out or leave "unexpected" objects (such as functions)
  • Handles circular references
  • Filters valid JSON strings
  • Filters valid and malformed URL query params
  • Filters Errors, Arrays, Maps, Sets, and simple objects

Options

const { SPFDefaultParams, SensitiveParamFilter } = require('@amaabca/sensitive-param-filter')
const filter = new SensitiveParamFilter({
  filterUnknown: false,
  params: SPFDefaultParams.concat(['data', 'email']),
  replacement: '***',
  whitelist: ['authentic', 'encryption_standard']
})

  • filterUnknown: Indicates whether "unexpected" objects (such as functions) should be filtered or returned as-is. Defaults to true

  • params: An array of string params to filter. These entries will be combined into a regex that is used by sensitive-param-filter. Setting this option overwrites the default array (SPFDefaultParams).

  • replacement: The object to replace filtered values with. Defaults to 'FILTERED'.

  • whitelist: An array of strings to exclude from filtering. For example, if pass_through is including in the whitelist, the key pass_through will not be filtered. Note that entries must match keys exactly to prevent filtering - that is, whitelisting secrets still causes secrets_store to be filtered.

Default Values

See defaults. Note that all of these values can be overridden via the options.

The default keys that are filtered are:

  • auth
  • bearer
  • credit
  • CVD
  • CVV
  • encrypt
  • PAN
  • pass
  • secret
  • token

License & Contributing

sensitive-param-filter uses the MIT license. See the license.

We welcome contributions. See contributing.

sensitive-param-filter's People

Contributors

dependabot[bot] avatar jonyschuk avatar mathieugilbert avatar nabboud-ama avatar raystroud avatar renovate[bot] avatar timoteialbu avatar zjullion avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

zjullion

sensitive-param-filter's Issues

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

  • Update All Dependencies (actions/checkout, actions/download-artifact, actions/setup-node, actions/upload-artifact, eslint, jest)

Detected dependencies

github-actions
.github/workflows/cd-workflow.yml
  • actions/checkout v2
  • actions/upload-artifact v2
  • actions/checkout v2
  • actions/download-artifact v2
  • actions/setup-node v2
  • actions/checkout v2
  • actions/download-artifact v2
  • actions/setup-node v2
.github/workflows/ci-workflow.yml
  • actions/checkout v2
  • actions/setup-node v2
npm
package.json
  • eslint 8.5.0
  • jest 27.4.5
  • npm >=8
  • Check this box to trigger a request for Renovate to run again on this repository

[BUG]: All (non-empty) `Map`s and `Set`s are converted to `{}`

Describe the bug:
Passing a Map or a Set to SensitiveParamFilter turns theses data structures into an empty object (printed as {}).
I would expect that a Set remains unchanged (as it is the case for arrays) and a Map is converted into an object with the same keys as the Map and the values filtered if necessary.

Sample Reproduction:

  // NOT OK
  const filter = new SensitiveParamFilter()
  console.log(
    filter.filter([
      "map test",
      new Map([
        ["Password", 143534],
        ["345", 2],
      ]),
    ]),
  )
  // Output: [ 'map test', {} ]

  // NOT OK
  console.log(filter.filter(["set test", new Set(["123", "Password"])]))
  // Output: [ 'set test', {} ]

  // OK
  console.log(filter.filter(["array test", ["123", "Password"]]))
  // Output: [ 'array test', [ '123', 'Password' ] ]

  // OK
  console.log(
    filter.filter([
      "object from map test",
      Object.fromEntries(
        new Map([
          ["Password", 134545],
          ["345", 2],
        ]),
      ),
    ]),
  )
  // OUTPUT: [ 'object from map test', { '345': 2, Password: 'FILTERED' } ]

[FEATURE]: Autocomplete

Describe the feature:
Some form of autocomplete should be used, so that, when using the library, suggestions are automatically made by the IDE

Use Cases:
When typing new SensitiveParamFilter( in VSCode, it would be great if the different options that could be passed in appeared in a tool-tip.

Example:
N/A

Are you willing to make a pull request to implement this feature?
Yup! Might be a while, but it should happen eventually.

Filter sensitive params out of strings

I was trying to use the filter in blue-node-utils in order to console log the error. However, that object contained a _headers key that had all the headers in its value as a string, and therefore the Bearer Token was exposed. Until this is fixed, I decided to not log that error anymore.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.