Skip to content

Commit 7505b3b

Browse files
feat: add missing sensitive fields to redactSensitiveData (calcom#24121)
- Add private_key, encrypted_credentials, tenant_id, client_email, serviceAccountKey to SENSITIVE_FIELDS array - Add comprehensive test cases for delegation credential sensitive fields - Prevents logging of sensitive delegation credential data including private keys Fixes security issue where delegation credential sensitive fields were not being redacted from logs Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Co-authored-by: morgan@cal.com <morgan@cal.com> Co-authored-by: Morgan <33722304+ThyMinimalDev@users.noreply.github.com>
1 parent 758dc88 commit 7505b3b

2 files changed

Lines changed: 53 additions & 1 deletion

File tree

packages/lib/redactSensitiveData.test.ts

Lines changed: 48 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -150,7 +150,7 @@ describe("redactSensitiveData", () => {
150150
});
151151

152152
it("should handle circular references gracefully", () => {
153-
const input: any = { name: "test" };
153+
const input: Record<string, unknown> = { name: "test" };
154154
input.self = input;
155155
expect(redactSensitiveData(input)).toMatchInlineSnapshot(`
156156
{
@@ -175,4 +175,51 @@ describe("redactSensitiveData", () => {
175175
}
176176
`);
177177
});
178+
179+
it("should redact delegation credential sensitive fields", () => {
180+
const input = {
181+
serviceAccountKey: {
182+
client_id: "client123",
183+
client_email: "service@example.com",
184+
private_key: "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC...",
185+
tenant_id: "tenant123",
186+
},
187+
encrypted_credentials: "encrypted_data_here",
188+
normalField: "value",
189+
};
190+
expect(redactSensitiveData(input)).toMatchInlineSnapshot(`
191+
{
192+
"encrypted_credentials": "[REDACTED]",
193+
"normalField": "value",
194+
"serviceAccountKey": "[REDACTED]",
195+
}
196+
`);
197+
});
198+
199+
it("should redact nested delegation credential fields", () => {
200+
const input = {
201+
credential: {
202+
delegatedTo: {
203+
serviceAccountKey: {
204+
private_key: "sensitive_key",
205+
client_email: "service@example.com",
206+
tenant_id: "tenant123",
207+
},
208+
},
209+
},
210+
config: {
211+
private_key: "another_private_key",
212+
client_email: "another@example.com",
213+
},
214+
};
215+
expect(redactSensitiveData(input)).toMatchInlineSnapshot(`
216+
{
217+
"config": {
218+
"client_email": "[REDACTED]",
219+
"private_key": "[REDACTED]",
220+
},
221+
"credential": "[REDACTED]",
222+
}
223+
`);
224+
});
178225
});

packages/lib/redactSensitiveData.ts

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,14 +7,19 @@ const SENSITIVE_FIELDS = [
77
"apiKey",
88
"auth",
99
"authorization",
10+
"client_email",
1011
"client_id",
1112
"client_secret",
1213
"credential",
14+
"encrypted_credentials",
1315
"hash",
1416
"key",
1517
"password",
18+
"private_key",
1619
"refreshToken",
1720
"secret",
21+
"serviceAccountKey",
22+
"tenant_id",
1823
"token",
1924
];
2025

0 commit comments

Comments
 (0)