[4.3] start framework to ensure sensitive information wont make it on…

…to log lines (#6654)
2600hz · Oct 21, 2020 · 1fbde96 · 1fbde96
1 parent 191cdcb
commit 1fbde96
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/applications/crossbar/src/api_util.erl b/applications/crossbar/src/api_util.erl
@@ -530,7 +530,7 @@ handle_max_filesize_exceeded(Context, Req1) ->
 decode_json_body(ReqBody, Req) ->
     try kz_json:unsafe_decode(ReqBody) of
         JObj ->
-            lager:debug("request has a json payload: ~s", [ReqBody]),
+            lager:debug("request has a json payload: ~s", [kz_log:redactor(ReqBody)]),
             {normalize_envelope_keys(JObj), Req}
     catch
         'throw':{'invalid_json',{'error',{ErrLine, ErrMsg}}, _JSON} ->

diff --git a/core/kazoo_stdlib/src/kz_log.erl b/core/kazoo_stdlib/src/kz_log.erl
@@ -11,6 +11,7 @@
         ,change_syslog_log_level/1
         ,change_file_log_level/2
         ]).
+-export([redactor/1]).
 
 -export_type([log_level/0]).
 
@@ -35,6 +36,7 @@
 
 -define(LOG(Fmt), begin lager:info(Fmt), io:format(Fmt ++ "~n") end).
 -define(LOG(Fmt, Args), begin lager:info(Fmt, Args), io:format(Fmt ++ "~n", Args) end).
+-define(REDACTED_REPLACEMENT, "***REDACTED***").
 
 -spec change_console_log_level(log_level()) -> 'ok'.
 change_console_log_level(L) when is_atom(L) ->
@@ -72,3 +74,18 @@ update_log_level([Backend|Backends], Level) ->
             lager:set_loglevel(Backend, Level)
     end,
     update_log_level(Backends, Level).
+
+-spec redactor(kz_term:text()) -> kz_term:text().
+redactor(Line) ->
+    Routines = [fun redact_json_password/1
+               ,fun redact_json_credit_card_number/1
+               ],
+    lists:foldl(fun(F, L) -> F(L) end, Line, Routines).
+
+-spec redact_json_password(kz_term:text()) -> kz_term:binary().
+redact_json_password(Line) ->
+    re:replace(Line, <<"(([\'\"])password\\2\\s*:\\s*\\2)((?:.(?!(?<![\\\\])\\2))*.?)\\2">>, "\\1" ++ ?REDACTED_REPLACEMENT ++ "\\2", [{'return', 'binary'}]).
+
+-spec redact_json_credit_card_number(kz_term:text()) -> kz_term:binary().
+redact_json_credit_card_number(Line) ->
+    re:replace(Line, <<"(([\'\"])credit_card\\2\\s*:\\s*{\\s*\\2number\\2\\s*:\\s*\\2)((?:.(?!(?<![\\\\])\\2))*.?)\\2">>, "\\1" ++ ?REDACTED_REPLACEMENT ++ "\\2", [{'return', 'binary'}]).