express-bunyan-logger - npm Package Compare versions

Comparing version 1.2.0 to 1.3.0

index.js

 var bunyan = require('bunyan'),
+    has = require('lodash.has'),
+    set = require('lodash.set'),
     useragent = require('useragent'),
@@ -20,2 +22,4 @@ uuid = require('node-uuid'),
         excludes,
+        obfuscate,
+        obfuscatePlaceholder,
         genReqId = defaultGenReqId,
@@ -29,3 +33,3 @@ levelFn = defaultLevelFn,
 
-    // default format 
+    // default format
     format = opts.format || ":remote-address :incoming :method :url HTTP/:http-version :status-code :res-headers[content-length] :referer :user-agent[family] :user-agent[major].:user-agent[minor] :user-agent[os] :response-time ms";
@@ -52,2 +56,9 @@ delete opts.format; // don't pass it to bunyan
 
+    if (opts.obfuscate) {
+        obfuscate = opts.obfuscate;
+        obfuscatePlaceholder = opts.obfuscatePlaceholder || '[HIDDEN]';
+        delete opts.obfuscate;
+        delete opts.obfuscatePlaceholder;
+    }
+
     if (opts.includesFn) {
@@ -81,3 +92,3 @@ includesFn = opts.includesFn;
 
-        if (genReqId) 
+        if (genReqId)
           requestId = genReqId(req);
@@ -117,3 +128,3 @@
                 'body': req.body,
-                'short-body': util.inspect(req.body).substring(0, 20),
+                'short-body': undefined,
                 'http-version': httpVersion,
@@ -144,4 +155,4 @@ 'response-time': responseTime,
                     });
-                  
-                    for (var p in meta) 
+
+                    for (var p in meta)
                         if (!exs[p])
@@ -162,2 +173,17 @@ json[p] = meta[p];
 
+            // obfuscate last in case we set something in our includesFn
+            if (obfuscate) {
+              for(var i in obfuscate) {
+                var key = obfuscate[i];
+                if (has(json, key)) {
+                  set(json, key, obfuscatePlaceholder);
+                }
+              }
+            }
+
+            // Set the short-body here in case we've modified the body in obfuscate
+            if (json && json.body) {
+              json['short-body'] = util.inspect(json.body).substring(0, 20);
+            }
+
             if (!json) {
@@ -164,0 +190,0 @@ logFn.call(childLogger, format(meta));

package.json

 {
   "name": "express-bunyan-logger",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "a bunyan logger middleware for express",
@@ -21,2 +21,4 @@ "main": "index.js",
     "bunyan": "^1.0.0",
+    "lodash.has": "^3.2.1",
+    "lodash.set": "^3.7.4",
     "node-uuid": "^1.4.1",
@@ -26,2 +28,3 @@ "useragent": "^2.0.9"
   "devDependencies": {
+    "body-parser": "^1.14.2",
     "express": "4.x",
@@ -28,0 +31,0 @@ "jshint": "~2.1.9",

README.md

@@ -15,6 +15,6 @@ # Express-bunyan-logger
     npm install express-bunyan-logger
-   
+
 ## Usage
 
-To use the logger: 
+To use the logger:
 
@@ -30,3 +30,3 @@ app.use(require('express-bunyan-logger')());
     app.use(require('express-bunyan-logger')({
-        name: 'logger', 
+        name: 'logger',
         streams: [{
@@ -68,3 +68,3 @@ level: 'info',
 
-Function that translate statusCode into log level. The `meta` argument is an object consisting of all the fields gathered by bunyan-express-logger, before exclusions are applied. 
+Function that translate statusCode into log level. The `meta` argument is an object consisting of all the fields gathered by bunyan-express-logger, before exclusions are applied.
 
@@ -101,2 +101,13 @@ ```
 
+### options.obfuscate
+Array of strings to obfuscate.
+These strings can be in dotted notation, for instance `body.password`, and it will only replace that specific value.
+This will replace the values in log messages with a [placeholder](#optionsobfuscateplaceholder).
+
+### options.obfuscatePlaceholder
+
+Placeholder to use when obfuscating values.
+This is only applicable when there are values to obfuscate.
+Default is `[HIDDEN]`.
+
 ### options.serializers
@@ -103,0 +114,0 @@

test/bunyan.test.js

@@ -6,2 +6,3 @@ var express = require('express');
 var bunyanLogger = require('../');
+var util = require('util');
 
@@ -16,3 +17,3 @@
       this.content = Buffer.concat([this.content, chunk]);
-    else 
+    else
       this.content = chunk;
@@ -33,3 +34,3 @@ next();
     }));
-    
+
     app.get('/', function(req, res) {
@@ -42,3 +43,3 @@ res.send('GET /');
       .expect('GET /', function(err, res) {
-        if(err) 
+        if(err)
           done(err);
@@ -62,3 +63,3 @@ else {
     }));
-    
+
     request(app)
@@ -92,3 +93,3 @@ .get('/missing')
     });
-    
+
     request(app)
@@ -130,3 +131,3 @@ .get('/')
     });
-    
+
     request(app)
@@ -143,3 +144,101 @@ .get('/')
 
+  describe('test obfuscate', function() {
+    var app, output,
+        USERNAME = 'MY_USER',
+        PASSWORD = 'MY_PASSWORD';
 
+    beforeEach(function() {
+      app = express();
+      app.use(require('body-parser').json());
+      output = st();
+    });
+
+    it('obfuscates body', function(done) {
+      app.use(bunyanLogger({
+        stream: output,
+        obfuscate: ['req.body.password']
+      }));
+
+      app.post('/', function(req, res) {
+        res.send('POST /');
+      });
+
+      request(app)
+        .post('/')
+        .send({username: USERNAME, password: PASSWORD})
+        .expect('POST /', function(err, res) {
+          var json = JSON.parse(output.content.toString());
+          assert.equal(json.name, 'express');
+          assert.equal(json.url, '/');
+          assert.equal(json['status-code'], 200);
+
+          assert(json.body);
+          assert.equal(json.body.username, USERNAME);
+          assert.equal(json.body.password, '[HIDDEN]');
+
+          done();
+        });
+    });
+
+    it('uses custom placeholder', function(done) {
+      var PLACEHOLDER = 'AAAAAA';
+
+      app.use(bunyanLogger({
+        stream: output,
+        obfuscate: ['req.body.password'],
+        obfuscatePlaceholder: PLACEHOLDER
+      }));
+
+      app.post('/', function(req, res) {
+        res.send('POST /');
+      });
+
+      request(app)
+        .post('/')
+        .send({username: USERNAME, password: PASSWORD})
+        .expect('POST /', function(err, res) {
+          var json = JSON.parse(output.content.toString());
+          assert.equal(json.name, 'express');
+          assert.equal(json.url, '/');
+          assert.equal(json['status-code'], 200);
+
+          assert(json.body);
+          assert.equal(json.body.username, USERNAME);
+          assert.equal(json.body.password, PLACEHOLDER);
+
+          done();
+        });
+    });
+
+    it('obfuscates short-body', function(done) {
+      app.use(bunyanLogger({
+        stream: output,
+        obfuscate: ['req.body.p']
+      }));
+
+      app.post('/', function(req, res) {
+        res.send('POST /');
+      });
+
+      request(app)
+        .post('/')
+        .send({p: 'MY_PASSWORD'})
+        .expect('POST /', function(err, res) {
+          var json = JSON.parse(output.content.toString());
+          assert.equal(json.name, 'express');
+          assert.equal(json.url, '/');
+          assert.equal(json['status-code'], 200);
+
+          assert(json['short-body']);
+
+          // We specifically chose a short key here to ensure our test was valid
+          // If there were multiple keys, there's a chance it won't appear
+          expected = util.inspect({p: '[HIDDEN]'}).substring(0, 20);
+          assert.equal(json['short-body'], expected);
+
+          done();
+        });
+    });
+  });
+
   it('test excludes', function(done) {
@@ -156,3 +255,3 @@ var app = express();
     });
-    
+
     request(app)
@@ -184,3 +283,3 @@ .get('/')
     });
-    
+
     request(app)
@@ -219,3 +318,3 @@ .get('/')
         assert(json.res && json.req && json.err);
-        
+
         done();
@@ -308,3 +407,1 @@ });
 });
-
-

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

23457

increased by20.91%

Lines of code

521

increased by24.94%

Number of lines in readme file

146

increased by8.15%

Number of medium supply chain risk alerts

1

decreased by-50%

Worsened metrics

Dependency count

5

increased by66.67%

Dev dependency count

6

increased by20%

Dependency changes

• + Addedlodash.has@^3.2.1

• + Addedlodash.set@^3.7.4

• + Addedlodash._baseget@3.7.2(transitive)

• + Addedlodash._baseslice@3.0.3(transitive)

• + Addedlodash._topath@3.8.1(transitive)

• + Addedlodash.has@3.2.1(transitive)

• + Addedlodash.isarguments@3.1.0(transitive)

• + Addedlodash.isarray@3.0.4(transitive)

• + Addedlodash.set@3.7.4(transitive)