refactor: change redaction to explicit paths instead of recursive

d-gubert · d-gubert · commit 48d38833e9c9 · 2026-04-10T15:24:37.000-03:00
diff --git a/apps/meteor/ee/server/apps/lib/redactor.ts b/apps/meteor/ee/server/apps/lib/redactor.ts
@@ -1,36 +1,44 @@
 import fastRedact from 'fast-redact';
 
-export const redactionFields = {
-	'cookie': 'cookie',
-	'x-auth-token': '["x-auth-token"]',
-	'authorization': 'authorization',
-	'access_token': 'access_token',
-	'customFields': 'customFields.*',
-	'emails': 'emails[*].address',
-	'email': 'email',
-	'password': 'password',
-	'pass': 'pass',
-};
+const requestFields = [
+	'Cookie',
+	'cookie',
+	'["x-auth-token"]',
+	'["X-Auth-Token"]',
+	'auth',
+	'Auth',
+	'authorization',
+	'Authorization',
+	'access_token',
+];
 
-const redactor = fastRedact({
-	paths: Object.values(redactionFields),
-	serialize: false,
-	strict: false,
-});
-
-export function redact(value: unknown): void {
-	if (!value || typeof value !== 'object') return;
+const entityFields = ['password', 'pass', 'customFields.*', '_unmappedProperties_'];
 
-	if (Array.isArray(value)) {
-		return value.forEach(redact);
-	}
+const roomFields = ['customFields.*', '_unmappedProperties_', ...entityFields.map((field) => `creator.${field}`)];
 
-	redactor(value);
+export const redactionFieldPaths = [
+	...requestFields,
+	...entityFields,
+	// Fields in debug logging
+	'info.query.query', // The deprecated `query` search param
+	...requestFields.map((field) => `info.query${field.startsWith('[') ? field : `.${field}`}`),
+	...requestFields.map((field) => `info.headers${field.startsWith('[') ? field : `.${field}`}`),
+	...requestFields.map((field) => `info.content${field.startsWith('[') ? field : `.${field}`}`),
+	...requestFields.map((field) => `info.data${field.startsWith('[') ? field : `.${field}`}`),
+	// Incoming requests to the Apps API endpoints
+	'query.query', // The deprecated `query` search param
+	...requestFields.map((field) => `query${field.startsWith('[') ? field : `.${field}`}`),
+	...requestFields.map((field) => `headers${field.startsWith('[') ? field : `.${field}`}`),
+	...requestFields.map((field) => `content${field.startsWith('[') ? field : `.${field}`}`),
+	...entityFields.map((field) => `user.${field}`),
+	// Slashcommands
+	...roomFields.map((field) => `params[0].room.${field}`),
+	...entityFields.map((field) => `params[0].sender.${field}`),
+];
 
-	Object.entries(value).forEach(([key, val]) => {
-		// Don't recurse into properties that have already been redacted
-		if (!(key in redactionFields)) {
-			redact(val);
-		}
-	});
-}
+export const redact = fastRedact({
+	paths: redactionFieldPaths,
+	censor: '[Redacted]',
+	serialize: false,
+	strict: false,
+});
