[server] sanitize logging

AlexTugarev · roboquat · commit 0f5f12137264 · 2022-04-12T19:46:25.000+05:30
diff --git a/components/server/ee/src/prebuilds/bitbucket-app.ts b/components/server/ee/src/prebuilds/bitbucket-app.ts
@@ -54,7 +54,7 @@ export class BitbucketApp {
                     console.warn(`Ignoring unsupported bitbucket event: ${req.header("X-Event-Key")}`);
                 }
             } catch (err) {
-                console.error(`Couldn't handle request.`, err, { headers: req.headers, reqBody: req.body });
+                console.error(`Couldn't handle request.`, err, { headers: req.headers });
             } finally {
                 // we always respond with OK, when we received a valid event.
                 res.sendStatus(200);
@@ -189,7 +189,7 @@ function toData(body: BitbucketPushHook): ParsedRequestData | undefined {
         gitCloneUrl: body.repository.links.html.href + ".git",
     };
     if (!result.commitHash || !result.repoUrl) {
-        console.error("Bitbucket push event: unexpected request body.", body);
+        console.error("Bitbucket push event: unexpected request body.");
         throw new Error("Unexpected request body.");
     }
     return result;
diff --git a/components/server/ee/src/prebuilds/bitbucket-server-app.ts b/components/server/ee/src/prebuilds/bitbucket-server-app.ts
@@ -52,7 +52,7 @@ export class BitbucketServerApp {
                     console.warn(`Ignoring unsupported BBS event.`, { headers: req.headers });
                 }
             } catch (err) {
-                console.error(`Couldn't handle request.`, err, { headers: req.headers, reqBody: req.body });
+                console.error(`Couldn't handle request.`, err, { headers: req.headers });
             } finally {
                 // we always respond with OK, when we received a valid event.
                 res.sendStatus(200);
diff --git a/components/server/ee/src/prebuilds/github-app.ts b/components/server/ee/src/prebuilds/github-app.ts
@@ -442,9 +442,9 @@ export class GithubApp {
             prebuildStartPromise.catch((err) => log.error(err, "Error while starting prebuild", { contextURL }));
             return prebuildStartPromise;
         } else {
-            log.debug({ userId: user.id }, `Not running prebuild, the user did not enable it for this context`, {
+            log.debug({ userId: user.id }, `Not running prebuild, the user did not enable it for this context`, null, {
                 contextURL,
-                user,
+                userId: user.id,
                 project,
             });
             return;
diff --git a/components/server/ee/src/prebuilds/github-enterprise-app.ts b/components/server/ee/src/prebuilds/github-enterprise-app.ts
@@ -45,7 +45,7 @@ export class GitHubEnterpriseApp {
                 try {
                     user = await this.findUser({ span }, payload, req);
                 } catch (error) {
-                    log.error("Cannot find user.", error, { req });
+                    log.error("Cannot find user.", error, {});
                 }
                 if (!user) {
                     res.statusCode = 401;
diff --git a/components/server/ee/src/prebuilds/gitlab-app.ts b/components/server/ee/src/prebuilds/gitlab-app.ts
@@ -43,7 +43,7 @@ export class GitLabApp {
                 try {
                     user = await this.findUser({ span }, context, req);
                 } catch (error) {
-                    log.error("Cannot find user.", error, { req });
+                    log.error("Cannot find user.", error, {});
                 }
                 if (!user) {
                     res.statusCode = 503;
diff --git a/components/server/src/auth/auth-provider-service.ts b/components/server/src/auth/auth-provider-service.ts
@@ -49,6 +49,7 @@ export class AuthProviderService {
     protected toAuthProviderParams = (oap: AuthProviderEntry) =>
         <AuthProviderParams>{
             ...oap,
+            // HINT: host is expected to be lower case
             host: oap.host.toLowerCase(),
             verified: oap.status === "verified",
             builtin: false,
diff --git a/components/server/src/auth/authenticator.ts b/components/server/src/auth/authenticator.ts
@@ -75,7 +75,7 @@ export class Authenticator {
             for (const { authProvider } of hostContexts) {
                 const authCallbackPath = authProvider.authCallbackPath;
                 if (req.url.startsWith(authCallbackPath)) {
-                    log.info(`Auth Provider Callback. Path: ${authCallbackPath}`, { req });
+                    log.info(`Auth Provider Callback. Path: ${authCallbackPath}`);
                     await authProvider.callback(req, res, next);
                     return;
                 }
@@ -104,26 +104,25 @@ export class Authenticator {
         const host: string = req.query.host?.toString() || "";
         const authProvider = host && (await this.getAuthProviderForHost(host));
         if (!host || !authProvider) {
-            log.info({ sessionId: req.sessionID }, `Bad request: missing parameters.`, { req, "login-flow": true });
+            log.info({ sessionId: req.sessionID }, `Bad request: missing parameters.`, { "login-flow": true });
             res.redirect(this.getSorryUrl(`Bad request: missing parameters.`));
             return;
         }
         if (this.config.disableDynamicAuthProviderLogin && !authProvider.params.builtin) {
-            log.info({ sessionId: req.sessionID }, `Auth Provider is not allowed.`, { req, ap: authProvider.info });
+            log.info({ sessionId: req.sessionID }, `Auth Provider is not allowed.`, { ap: authProvider.info });
             res.redirect(this.getSorryUrl(`Login with ${authProvider.params.host} is not allowed.`));
             return;
         }
         if (!req.session) {
             increaseLoginCounter("failed", authProvider.info.host);
-            log.info({}, `No session.`, { req, "login-flow": true });
+            log.info({}, `No session.`, { "login-flow": true });
             res.redirect(this.getSorryUrl(`No session found. Please refresh the browser.`));
             return;
         }
 
         if (!authProvider.info.verified && !(await this.isInSetupMode())) {
             increaseLoginCounter("failed", authProvider.info.host);
             log.info({ sessionId: req.sessionID }, `Login with "${host}" is not permitted.`, {
-                req,
                 "login-flow": true,
                 ap: authProvider.info,
             });
@@ -153,7 +152,7 @@ export class Authenticator {
     async deauthorize(req: express.Request, res: express.Response, next: express.NextFunction) {
         const user = req.user;
         if (!req.isAuthenticated() || !User.is(user)) {
-            log.info({ sessionId: req.sessionID }, `User is not authenticated.`, { req });
+            log.info({ sessionId: req.sessionID }, `User is not authenticated.`);
             res.redirect(this.getSorryUrl(`Not authenticated. Please login.`));
             return;
         }
@@ -163,7 +162,7 @@ export class Authenticator {
         const authProvider = host && (await this.getAuthProviderForHost(host));
 
         if (!host || !authProvider) {
-            log.warn({ sessionId: req.sessionID }, `Bad request: missing parameters.`, { req });
+            log.warn({ sessionId: req.sessionID }, `Bad request: missing parameters.`);
             res.redirect(this.getSorryUrl(`Bad request: missing parameters.`));
             return;
         }
@@ -174,7 +173,6 @@ export class Authenticator {
         } catch (error) {
             next(error);
             log.error({ sessionId: req.sessionID }, `Failed to disconnect a provider.`, error, {
-                req,
                 host,
                 userId: user.id,
             });
@@ -188,13 +186,13 @@ export class Authenticator {
 
     async authorize(req: express.Request, res: express.Response, next: express.NextFunction) {
         if (!req.session) {
-            log.info({}, `No session.`, { req, "authorize-flow": true });
+            log.info({}, `No session.`, { "authorize-flow": true });
             res.redirect(this.getSorryUrl(`No session found. Please refresh the browser.`));
             return;
         }
         const user = req.user;
         if (!req.isAuthenticated() || !User.is(user)) {
-            log.info({ sessionId: req.sessionID }, `User is not authenticated.`, { req, "authorize-flow": true });
+            log.info({ sessionId: req.sessionID }, `User is not authenticated.`, { "authorize-flow": true });
             res.redirect(this.getSorryUrl(`Not authenticated. Please login.`));
             return;
         }
@@ -204,14 +202,13 @@ export class Authenticator {
         const override = req.query.override === "true";
         const authProvider = host && (await this.getAuthProviderForHost(host));
         if (!returnTo || !host || !authProvider) {
-            log.info({ sessionId: req.sessionID }, `Bad request: missing parameters.`, { req, "authorize-flow": true });
+            log.info({ sessionId: req.sessionID }, `Bad request: missing parameters.`, { "authorize-flow": true });
             res.redirect(this.getSorryUrl(`Bad request: missing parameters.`));
             return;
         }
 
         if (!authProvider.info.verified && user.id !== authProvider.info.ownerId) {
             log.info({ sessionId: req.sessionID }, `Authorization with "${host}" is not permitted.`, {
-                req,
                 "authorize-flow": true,
                 ap: authProvider.info,
             });
diff --git a/components/server/src/auth/generic-auth-provider.ts b/components/server/src/auth/generic-auth-provider.ts
@@ -216,7 +216,7 @@ export class GenericAuthProvider implements AuthProvider {
                 expiryDate,
             });
         } catch (error) {
-            log.error(`(${this.strategyName}) Failed to refresh token!`, { error, token });
+            log.error(`(${this.strategyName}) Failed to refresh token!`, { error });
             throw error;
         }
     }
@@ -252,7 +252,6 @@ export class GenericAuthProvider implements AuthProvider {
                     log.error(`(${this.strategyName}) Failed to fetch from "configURL"`, {
                         error,
                         configURL,
-                        accessToken,
                     });
                     throw new Error("Error while reading user profile.");
                 }
@@ -274,14 +273,13 @@ export class GenericAuthProvider implements AuthProvider {
                     log.error(`(${this.strategyName}) Failed to call "fetchAuthUserSetup"`, {
                         error,
                         configFn,
-                        accessToken,
                     });
                     throw new Error("Error with the Auth Provider Configuration.");
                 }
                 try {
                     return await promise;
                 } catch (error) {
-                    log.error(`(${this.strategyName}) Failed to run "configFn"`, { error, configFn, accessToken });
+                    log.error(`(${this.strategyName}) Failed to run "configFn"`, { error, configFn });
                     throw new Error("Error while reading user profile.");
                 }
             };
@@ -313,14 +311,13 @@ export class GenericAuthProvider implements AuthProvider {
         const clientInfo = getRequestingClientInfo(request);
         const cxt = LogContext.from({ user: request.user });
         if (response.headersSent) {
-            log.warn(cxt, `(${strategyName}) Callback called repeatedly.`, { request, clientInfo });
+            log.warn(cxt, `(${strategyName}) Callback called repeatedly.`, { clientInfo });
             return;
         }
         log.info(cxt, `(${strategyName}) OAuth2 callback call. `, {
             clientInfo,
             authProviderId,
             requestUrl: request.originalUrl,
-            request,
         });
 
         const isAlreadyLoggedIn = request.isAuthenticated() && User.is(request.user);
@@ -330,7 +327,7 @@ export class GenericAuthProvider implements AuthProvider {
                 log.warn(
                     cxt,
                     `(${strategyName}) User is already logged in. No auth info provided. Redirecting to dashboard.`,
-                    { request, clientInfo },
+                    { clientInfo },
                 );
                 response.redirect(this.config.hostUrl.asDashboard().toString());
                 return;
@@ -341,20 +338,20 @@ export class GenericAuthProvider implements AuthProvider {
         if (!authFlow) {
             increaseLoginCounter("failed", this.host);
 
-            log.error(cxt, `(${strategyName}) No session found during auth callback.`, { request, clientInfo });
+            log.error(cxt, `(${strategyName}) No session found during auth callback.`, { clientInfo });
             response.redirect(this.getSorryUrl(`Please allow Cookies in your browser and try to log in again.`));
             return;
         }
 
         if (authFlow.host !== this.host) {
             increaseLoginCounter("failed", this.host);
 
-            log.error(cxt, `(${strategyName}) Host does not match.`, { request, clientInfo });
+            log.error(cxt, `(${strategyName}) Host does not match.`, { clientInfo });
             response.redirect(this.getSorryUrl(`Host does not match.`));
             return;
         }
 
-        const defaultLogPayload = { authFlow, clientInfo, authProviderId, request };
+        const defaultLogPayload = { authFlow, clientInfo, authProviderId };
 
         // check OAuth2 errors
         const callbackParams = new URL(`https://anyhost${request.originalUrl}`).searchParams;
diff --git a/components/server/src/bitbucket-server/bitbucket-server-auth-provider.ts b/components/server/src/bitbucket-server/bitbucket-server-auth-provider.ts
@@ -71,7 +71,7 @@ export class BitbucketServerAuthProvider extends GenericAuthProvider {
                 currentScopes: BitbucketServerOAuthScopes.ALL,
             };
         } catch (error) {
-            log.error(`(${this.strategyName}) Reading current user info failed`, error, { accessToken, error });
+            log.error(`(${this.strategyName}) Reading current user info failed`, error, { error });
             throw error;
         }
     };
diff --git a/components/server/src/bitbucket/bitbucket-auth-provider.ts b/components/server/src/bitbucket/bitbucket-auth-provider.ts
@@ -85,7 +85,7 @@ export class BitbucketAuthProvider extends GenericAuthProvider {
                 currentScopes,
             };
         } catch (error) {
-            log.error(`(${this.strategyName}) Reading current user info failed`, error, { accessToken, error });
+            log.error(`(${this.strategyName}) Reading current user info failed`, error, { error });
             throw error;
         }
     };
diff --git a/components/server/src/express/ws-connection-handler.ts b/components/server/src/express/ws-connection-handler.ts
@@ -113,7 +113,7 @@ export class WsConnectionHandler implements Disposable {
             ws.on("error", (err: any) => {
                 if (err.code !== "ECONNRESET" && err.code !== "EPIPE") {
                     // exclude very common errors
-                    log.warn("websocket error, closing.", err, { ws, req });
+                    log.warn("websocket error, closing.", err);
                 }
                 ws.close(); // ws should trigger close() itself on any socket error. We do this just to be sure.
             });
diff --git a/components/server/src/express/ws-layer.ts b/components/server/src/express/ws-layer.ts
@@ -51,7 +51,7 @@ export class WsLayerImpl implements WsLayer {
         try {
             return fn(ws, req, next);
         } catch (err) {
-            log.error(err, { ws, req });
+            log.error(err);
             return next(err);
         }
     }
@@ -60,7 +60,7 @@ export class WsLayerImpl implements WsLayer {
         try {
             return this.next(ws, req);
         } catch (err) {
-            log.error(err, { ws, req });
+            log.error(err);
         }
     }
 
diff --git a/components/server/src/github/github-auth-provider.ts b/components/server/src/github/github-auth-provider.ts
@@ -127,7 +127,7 @@ export class GitHubAuthProvider extends GenericAuthProvider {
                 currentScopes,
             };
         } catch (error) {
-            log.error(`(${this.strategyName}) Reading current user info failed`, error, { accessToken, error });
+            log.error(`(${this.strategyName}) Reading current user info failed`, error, { error });
             throw error;
         }
     };

Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,7 @@ export class BitbucketServerApp {`
`52`	`52`	console.warn(`Ignoring unsupported BBS event.`, { headers: req.headers });
`53`	`53`	`}`
`54`	`54`	`} catch (err) {`
`55`		- console.error(`Couldn't handle request.`, err, { headers: req.headers, reqBody: req.body });
	`55`	+ console.error(`Couldn't handle request.`, err, { headers: req.headers });
`56`	`56`	`} finally {`
`57`	`57`	`// we always respond with OK, when we received a valid event.`
`58`	`58`	`res.sendStatus(200);`
Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,7 @@ export class GitHubEnterpriseApp {`
`45`	`45`	`try {`
`46`	`46`	`user = await this.findUser({ span }, payload, req);`
`47`	`47`	`} catch (error) {`
`48`		`- log.error("Cannot find user.", error, { req });`
	`48`	`+ log.error("Cannot find user.", error, {});`
`49`	`49`	`}`
`50`	`50`	`if (!user) {`
`51`	`51`	`res.statusCode = 401;`
Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ export class GitLabApp {`
`43`	`43`	`try {`
`44`	`44`	`user = await this.findUser({ span }, context, req);`
`45`	`45`	`} catch (error) {`
`46`		`- log.error("Cannot find user.", error, { req });`
	`46`	`+ log.error("Cannot find user.", error, {});`
`47`	`47`	`}`
`48`	`48`	`if (!user) {`
`49`	`49`	`res.statusCode = 503;`
Original file line number	Diff line number	Diff line change
`@@ -71,7 +71,7 @@ export class BitbucketServerAuthProvider extends GenericAuthProvider {`
`71`	`71`	`currentScopes: BitbucketServerOAuthScopes.ALL,`
`72`	`72`	`};`
`73`	`73`	`} catch (error) {`
`74`		- log.error(`(${this.strategyName}) Reading current user info failed`, error, { accessToken, error });
	`74`	+ log.error(`(${this.strategyName}) Reading current user info failed`, error, { error });
`75`	`75`	`throw error;`
`76`	`76`	`}`
`77`	`77`	`};`
Original file line number	Diff line number	Diff line change
`@@ -85,7 +85,7 @@ export class BitbucketAuthProvider extends GenericAuthProvider {`
`85`	`85`	`currentScopes,`
`86`	`86`	`};`
`87`	`87`	`} catch (error) {`
`88`		- log.error(`(${this.strategyName}) Reading current user info failed`, error, { accessToken, error });
	`88`	+ log.error(`(${this.strategyName}) Reading current user info failed`, error, { error });
`89`	`89`	`throw error;`
`90`	`90`	`}`
`91`	`91`	`};`
Original file line number	Diff line number	Diff line change
`@@ -113,7 +113,7 @@ export class WsConnectionHandler implements Disposable {`
`113`	`113`	`ws.on("error", (err: any) => {`
`114`	`114`	`if (err.code !== "ECONNRESET" && err.code !== "EPIPE") {`
`115`	`115`	`// exclude very common errors`
`116`		`- log.warn("websocket error, closing.", err, { ws, req });`
	`116`	`+ log.warn("websocket error, closing.", err);`
`117`	`117`	`}`
`118`	`118`	`ws.close(); // ws should trigger close() itself on any socket error. We do this just to be sure.`
`119`	`119`	`});`
Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,7 @@ export class WsLayerImpl implements WsLayer {`
`51`	`51`	`try {`
`52`	`52`	`return fn(ws, req, next);`
`53`	`53`	`} catch (err) {`
`54`		`- log.error(err, { ws, req });`
	`54`	`+ log.error(err);`
`55`	`55`	`return next(err);`
`56`	`56`	`}`
`57`	`57`	`}`
`@@ -60,7 +60,7 @@ export class WsLayerImpl implements WsLayer {`
`60`	`60`	`try {`
`61`	`61`	`return this.next(ws, req);`
`62`	`62`	`} catch (err) {`
`63`		`- log.error(err, { ws, req });`
	`63`	`+ log.error(err);`
`64`	`64`	`}`
`65`	`65`	`}`
`66`	`66`
Original file line number	Diff line number	Diff line change
`@@ -127,7 +127,7 @@ export class GitHubAuthProvider extends GenericAuthProvider {`
`127`	`127`	`currentScopes,`
`128`	`128`	`};`
`129`	`129`	`} catch (error) {`
`130`		- log.error(`(${this.strategyName}) Reading current user info failed`, error, { accessToken, error });
	`130`	+ log.error(`(${this.strategyName}) Reading current user info failed`, error, { error });
`131`	`131`	`throw error;`
`132`	`132`	`}`
`133`	`133`	`};`