SENSITIVE_KEYS not working for Auth data
racerxdl opened this issue · comments
Bug Description
I discovered that the zapier was leaking my customer private keys over the log when inspection a error (see https://community.zapier.com/developer-discussion-13/how-to-redact-fields-in-auth-data-8831 )
So trying to figure out how to fix that, I found this:
https://github.com/zapier/zapier-platform/blob/master/packages/core/src/constants.js#L26-L35
Which sets the keys to be redacted to
const SENSITIVE_KEYS = [
'api_key',
'apikey',
'auth',
'passwd',
'password',
'secret',
'signature',
'token',
];
But even with that, the field is not being redacted from the logs:
Weirdly enough, the environment
which is not listed there (and doesnt need to be) is sensored along the password field
I even tried to put the gpg key in the environment field, it doesnt redact it. My environment field is a choices
string field with the sandbox
and production
values.
Reproduction Steps
- Create a auth field named
token
and put a gpg key inside it. - The content should be redacted because of
token
, but it isnt.
Version Info
- Version info: 10.1.2
- Operating System: Ubuntu 20.04
- App id: 127048
Also here is how I declare the fields:
const authentication = {
type: 'custom',
test: testAuth,
fields: [
{
key: 'token',
type: 'string',
required: true,
helpText: 'GPG Private Key'
},
{
key: 'password',
type: 'string',
required: true,
helpText: 'GPG Private Key Password'
},
{
key: 'environment',
label: 'Quanto Environment',
helpText: 'Choose the environment you want zapier to call',
type: 'string',
choices: envNames,
},
],
connectionLabel: (z: ZObject, bundle: Bundle) => {
// bundle.inputData contains data returned by `testAuth`
// - environment
// - name
// - email
// - fingerprint
const {name, email, environment, fingerprint} = bundle.inputData;
return `${name} <${email}> ${fingerprint} in ${environment}`;
}
}
I also found out that even activating the flag skipHttpPatch
didn't worked. It is still logging out everything.
@racerxdl thanks for filing, we're looking into this right away.
Btw just to have more info @xavdid, I tried the field as type password
but with that way it seens zapier does some post processing and breaks the GPG key. It removes all line breaks and limits the field size. But as far as I recall, it does mask the field in the logs that way.
I'm not sure which solution is faster, but I would say the best solution would be a flag that can be set in that field definition saying that its sensitive data. Then the developer can choose if its safe or not to print in the log.
Is there anyway we can help zapier with that or some estimate of time? I'm not sure where that log is generated, but looks inside zapier. this is blocking us from getting production with our app :(
Thanks!
Data in authData
should be censored automatically, so that's the bug I need to fix. An explicit key would be neat at some point though for sure!
In terms of timing, I should be able to get the fix in tomorrow. It'll get reviewed over the weekend and we've got a release scheduled next week that it'll go out with. It should land Wednesday at the latest, barring any unforeseen circumstances.
Great @xavdid ! Thats good to hear ^^
If there is anything I can help, let me know :D - I will be able to test as soon as its fixed ^^
This will be a server-side fix and we've got an internal PR open. No further action will be needed on your end. I'll close this when that code is deployed.
@racerxdl This fix is deployed to prod internally. Old logs will rotate out the next few days and any new logs should be properly censored.
Let me know if you find that's not the case!
Nice! Just tested, worked perfectly :D
Thanks @xavdid 💯