as titled

I'm passing a path in the paths array of fast-redact instance options, that is not present in the object which is being passed for the redaction.

const fastRedact = require('fast-redact');

const fauxRequest = {
  headers: {
    host: 'http://example.com',
    cookie: `oh oh we don't want this exposed in logs in etc.`,
    referer: `if we're cool maybe we'll even redact this`,
  },
};

const redact = fastRedact({
  paths: ['referer', 'headers.cookie', 'body.secret'],
  censor: '***REDACTED***',
});

const redactResult = redact(fauxRequest);

console.log(redactResult);

When I run the above snippet, I'm getting the below error:

undefined:10
      o.body.secret = secret["body.secret"].val
                    ^

TypeError: Cannot set property 'secret' of undefined
    at Object.eval (eval at compileRestore (/Users/harishkumarmatta/Desktop/Incubator/code-logs/node_modules/fast-redact/lib/restorer.js:16:20), <anonymous>:10:21)
    at Object.eval (eval at redactor (/Users/harishkumarmatta/Desktop/Incubator/code-logs/node_modules/fast-redact/lib/redactor.js:9:18), <anonymous>:66:10)
    at Object.<anonymous> (/Users/harishkumarmatta/Desktop/Incubator/code-logs/redact.js:16:22)
    at Module._compile (internal/modules/cjs/loader.js:1158:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1178:10)
    at Module.load (internal/modules/cjs/loader.js:1002:32)
    at Function.Module._load (internal/modules/cjs/loader.js:901:14)
    at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:74:12)
    at internal/main/run_main_module.js:18:47

I'm trying to have a single redaction instance, and passing all the redactable fields as paths. so that I can pass any object to the fast-redact instance.

Isn't it, how this module will work? I checked with Pino logging, it is working as expected. But when I try to use this module explicitly, I got the above-mentioned error.

Thank you.

Hi,

Thanks a lot for the great lib.

I just wanted to raise this bug. An error is thrown in this edge case:

    const redact = fastRedact({
      paths: ['*.*.x'],
      serialize: false,
      censor: "[REDACTED]",
    });

    expect(redact({a: {b: null}})).toEqual({a: {b: null}});

Cannot use 'in' operator to search for 'x' in null
TypeError: Cannot use 'in' operator to search for 'x' in null
at specialSet (/workspace/lib-logger/node_modules/fast-redact/lib/modifiers.js:120:53)
at nestedRedact (/workspace/lib-logger/node_modules/fast-redact/lib/modifiers.js:73:7)

As with #7, the whole codebase needs to be commented. It is very difficult to understand everything that is going on in this project. Without some explanations in the code, it is basically impossible for others to come along and contribute, e.g. #5.

With the non-descriptive variable names, this function is a mystery. A leading comment describing the parameters and what the function accomplishes would help:

It is difficult to understand at first that this is building an object of compiled paths (if I even understand it?). A description of what is going on along with sample inputs and outputs would be very helpful:

Brief introductions to each function should be present:
https://github.com/davidmarkclements/fast-redact/blob/3bc8dbe3547542b22b44262067d7390d5efc37b8/lib/redactor.js

Explanations of when these functions get used and how:
https://github.com/davidmarkclements/fast-redact/blob/3bc8dbe3547542b22b44262067d7390d5efc37b8/lib/restorer.js

Would you be interested in a PR for a TypeScript rewrite?

It is mentioned in the Benchmarks section of the README file that:

In the direct calling case, fast-redact is ~30x faster than pino-noir, however a more realistic comparison is overhead on JSON.stringify.

For a static redaction case (no wildcards) pino-noir adds ~25% overhead on top of JSON.stringify whereas fast-redact adds ~1% overhead.

I attempted to measure the overhead firsthand. In this benchmark, fast-redact performed orders of magnitude slower than JSON.stringify (using the Default Usage example from the README file), which makes the overhead astronomical:

jsonStringify x 1,094,634 ops/sec ±0.74% (89 runs sampled)
fastRedactWithSerialization x 791 ops/sec ±5.98% (74 runs sampled)
fastRedactWithoutSerialization x 841 ops/sec ±4.94% (78 runs sampled)
Fastest is jsonStringify

The benchmarks were run on a MacBook Pro (15-inch, 2019) with the following specs:

• Processor: 2.6 GHz 6-Core Intel Core i7
• Memory: 16 GB 2400 MHz DDR4
• Operating system: macOS Big Sur
• Node.js version: 16.13.1 LTS

Could you please help me make sense of those results? You can find the benchmarking code here.

Thanks!

Hi, I'm trying to use fast-redact to redact headers that comes from an api gateway request.
In this request there's an header containing the customer api key called x-api-key.
This code throws an exception in the validator

const params = req.headers
const redact = fastRedact({
        paths: ['x-api-key'],
        serialize: false
    });
    const redacted = redact(params);

Throws this exception

ReferenceError: api is not defined
  at evalmachine.<anonymous>:4:17
    at evalmachine.<anonymous>:6:13
    at Script.runInContext (node:vm:139:12)
    at runInContext (node:vm:289:6)
    at /Users/tiziano_faion/BizAway/RiskAssessment/node_modules/bizlogger/node_modules/fast-redact/lib/validator.js:24:9

Hi, I'm trying to use this package in a React app to redact sensitive tokens before logging the information to a remote server and have run into a problem. I'd like some help!

The error in the console is:

validator.js:34 Uncaught Error: fast-redact – Invalid path (headers.cookie)
    at validator.js:34
    at Array.forEach (<anonymous>)
    at validate (validator.js:14)
    at fastRedact (index.js:39)

However when I step into the code and look inside validator.js, the actual exception thrown is createContext is not a function

Right now I'm simply using the code provided in the Readme, but using an import instead of a require

import fastRedact from "fast-redact";
const redact = fastRedact({
    paths: ["headers.cookie", "headers.referer"],
});
const fauxRequest = {
    headers: {
      host: 'http://example.com',
      cookie: `oh oh we don't want this exposed in logs in etc.`,
      referer: `if we're cool maybe we'll even redact this`
    }
  }
console.log("Redacted Payload", redact(fauxRequest));

I'm using a redacted path like ['data.username']. fast-redact produces the following method signature for redaction:

(function(o
/*``*/) {

    if (typeof o !== 'object' || o == null) {
      throw Error('fast-redact: primitives cannot be redacted')
    }
    const { censor, secret } = this
    
      if (o.username != null) {
        const val = o.username
        if (val === censor) {
          secret["username"].precensored = true
        } else {
          secret["username"].val = val
          o.username = censor
          
      switch (true) {
        
      }
    
        }
      }
...

})

When using a library like axios, data can be either an object or a string when content type is application/json vs application/x-www-form-urlencoded. What are some thoughts about having a setting to just ignore redaction if an o is primitive vs throwing an error?

When the first call has the redacted property value equal the censor value, then subsequent calls will not restore the redacted property in the original object.

I've created a test case, please have a look:

https://github.com/adrianolek/fast-redact/blob/first-call-precensored/test/index.js#L292

Started in pinojs/pino#919

Issue: redaction is working upto level 2 when we use wildcards like ..* but after level 2, it is not working.

Here is the code where I want to redact field at level 3:
`const fastRedact = require('fast-redact')
const redact = fastRedact({
paths: [
'..entityPanNumber',
'..*.entityPanNumber' ],
censor: '*****'
})

console.log(redact({ "1": { "2": { "entityPanNumber": "DEF" } } }))
console.log(redact({ "1": { "2": { "3": { "entityPanNumber": "DEF" } } }}))`

The output is:
{"1":{"2":{"entityPanNumber":"*****"}}} {"1":{"2":{"3":{"entityPanNumber":"DEF"}}}}

How would you redact headers that are kebabed such as User-Agent within headers?

The following redaction pattern works on v3.1.2 and v3.2.0 but not on v3.3.0:

'use strict';

const fastRedact = require('fast-redact');

const thing = {
  prop: {
    top: {
      secret: 'top secret',
    },
  },
};

const redact = fastRedact({
  paths: ['*.*.secret', '*.top'],
  censor: '**SECRET**',
});

console.log(redact(thing));

On v3.3.0 it fails with the following error:

/Users/user/project/node_modules/fast-redact/lib/modifiers.js:54
    current[path[0]] = value
                     ^

TypeError: Cannot create property 'secret' on string '**SECRET**'
    at Object.nestedRestore (/Users/user/project/node_modules/fast-redact/lib/modifiers.js:54:22)
    at Object.eval (eval at compileRestore (/Users/user/project/node_modules/fast-redact/lib/restorer.js:15:20), <anonymous>:12:17)
    at Object.eval (eval at redactor (/Users/user/project/node_modules/fast-redact/lib/redactor.js:9:18), <anonymous>:24:10)
    at Object.<anonymous> (/Users/user/project/test.js:18:13)

The conditions to generate this failure seem to be:

• You are redacting a node (e.g top), but also one of it's child (e.g top.secret)
• In the redaction paths, you specify the child redaction pattern before the parent redaction pattern (e.g ['*.*.secret', '*.top'] fails but ['*.top', '*.*.secret'] works)

Would appreciate some help to understand whether this is working as designed, a bug or known limitation.

When providing path that has nested array, value of all redacted keys in the array gets overwritten to the value of the array's last index object value.

const fastRedact = require("fast-redact");
const redact = fastRedact({
  paths: ["a[*].b[*].c"],
});

const obj = {
  a: [{ b: [{ c: 1 }, { c: 2 }, { c: 3 }] }],
};

console.log(redact(obj));
console.log(inspect(obj, undefined, null));

Output

{"a":[{"b":[{"c":"[REDACTED]"},{"c":"[REDACTED]"},{"c":"[REDACTED]"}]}]}
{
  a: [
    { b: [ { c: 3 }, { c: 3 }, { c: 3 } ] }
  ]
}

Expected result of c should be retained as 1, 2, 3 respectively.

Looking at #15, it seems like perhaps a better fix would've been:

function strictImpl (strict) {
  return strict === true 
    ? `throw Error('fast-redact: primitives cannot be redacted')` 
    : `return this.serialize(o)`;
}

As long as the serializer is the default JSON.stringify, I believe the behavior above would match the behavior in PR #15. But, if the user has customized the serialize function to return something other than JSON, the assumption driving #15 (that the result should always be JSON) seems invalid. It would be more consistent imo to make the redacted output always go through serialize, with strict being orthogonal.

Thoughts?

When upgrading to v3.4.0, I noticed that redaction was causing the actual objects being redacted to be mutated, such that values are redacted beyond the scope of the logging.

To reproduce:

import pino from "pino";

const p = pino({
  level: process.env.LOG_LEVEL || "info",
  redact: [
    "items[*].name",
  ],
});

const toRedact = { items: [{ name: "John" }] };
const logger = p.child({ property: "value" });

logger.info(toRedact);

console.log('Printing response', toRedact);

logger.info(toRedact);

console.log('Printing response', toRedact);

This will result in the final console.log() statement to print out Printing response { items: [ { name: '[Redacted]' } ] }, showing that the actual value of name has been changed beyond the scope of pino logging. This behavior is not present in v3.3.0.

I'm not sure why but my secret object has an empty string property "": null

So on redact.restore, this line fails if (o.flat === true) this.groupRestore(o)

Happens when paths have '*.item', 'item',

Hello, i wrote test that shows what i mean,
so basically, if you provide deep enough sequence of wildcards, then all it needs is matching last key in object and its redacted. Even thou in paths you require also "the one before it" to match.

test("Test with multiple levels of wildcards", ({ end, is }) => {
  const censor = "censored";
  const value = "value";

  const paths = [
    "a.x",
    "a.y",
    "*.a.x",
    "*.a.y",

    // These break it
    "*.*.a.x",
    "*.*.a.y",

    // These wont do it
    // "*.*.a.x2",
    // "*.*.a.y2"
  ];

  const redact = fastRedact({ paths, censor, serialize: false });
  const o = {
    a: {
      x: value,
      y: value,
    },
    b: {
      x: value,
      y: value,
    },
  };

  redact(o);
  is(o.a.x, censor);
  is(o.a.y, censor);
  is(o.b.x, value);
  is(o.b.y, value);
  redact.restore(o);
  is(o.a.x, value);
  is(o.a.y, value);
  is(o.b.x, value);
  is(o.b.y, value);
  end();
});

fast-redact is used in Pino to support redaction of log fields.

For example, we may want to redact a path that may contain PII:

const fastRedact = require('fast-redact');

const redact = fastRedact({ paths: ['pii.*'] });

const goodLog = { msg: 'this is fine', pii: { name: 'Jean Doe' } };

redact(goodLog);
// => { msg: 'this is fine', pii: { name: '[REDACTED]' } }

However, logs can be unstructured. What if the pii field is a string?

const fastRedact = require('fast-redact');

const redact = fastRedact({ paths: ['pii.*'] });

const log = { msg: 'this is fine', pii: '😈' };

redact(log);
// => TypeError: Cannot assign to read only property '0' of string '😈'

I think the desired behaviour here would be for fast-redact to pass through the string untouched rather than throwing a runtime error.

Given Node 18 fully supports ESM, and there may be ESM projects that want to consume this library, I thought I would raise this issue.

Happy to raise a PR with a vague sketch of how this might be achieved.

Generally I want to redact **.authorization to make sure I don't leak credentials into logging, for any rare error cases where a request object might be buried in a field of an exception.

Hi! I love the new support for multiple wildcards in redaction paths. Unfortunately, when the PR for that feature was merged, it looks like it introduced some weird behavior.

As shown in this test and the one right below it, when a wildcard is used in a redaction path, and that path is exposed to the censor function, the prior contract was for the censor function to see a path based on what the wildcard actually matched. E.g., the path '*.b' would be passed to the censor function as ['a', 'b'] if the wildcard matched a key named 'a'.

With multiple wildcards, though, as shown in this test, the first wildcard in the path is exposed to the censor function using the actual key it matched, but subsequent wildcards are passed in as a literal '*'.

I implemented the original support for passing a path to the censor function, so I'd normally be open to fixing this ticket, but I really have no time right now. I've also completely forgotten everything figured out about specialSet, and generally how all the pieces of this library fit together.

If @lukehedger is able to fix this, that would be amazing, since he's obviously touched the code more recently and wrote the multi-wildcard code. But, if he doesn't have time either, I figured I'd still open this issue just to document the problem.

Because only one wildcard per path is supported, there is no way to redact anything inside a doubly nested array.

E.g. in the following object, you can redact anything underneath tokens unless you redact everything underneath tokens:

{ creditcards: [ { amount: 0, tokens: [ { tokenValue: 'string', tokenType: 'string', cardType: 'string', expDate: 'string', cardHolderName: 'string', lastFour: 'string', }, ], }, ], }

Unless I am missing something. Would be great to support.

When objects have a toJSON function redacting is not working:

const fastRedact = require('fast-redact');

const data = {
  a: 'asd',
  toJSON: () => ({
    a: 'well',
  }),
};

const s = fastRedact({
  paths: ['a'],
});

console.log(s(data));

Prints:

{"a":"well"}

as suggested by @jasnell

The issue

Each path type (static, group, nested) uses an isolated way
of storing and restoring values on the original object.

In case of a property that matches multiple redaction paths,
this isolation leads to loss of information as it fails to restore the
original value on the original mutated object.

The issue can be reproduced with the following:

const redact = fastRedact({
  paths: ['a', '*.b', 'x.b'],
  serialize: false
})
const o = {
  x: {
    a: 'a',
    b: 'b'
  }
}
redact(o)

In this example x.b would match both the static x.b
path and the wildcard *.b path leading in the original
object being restored as:

{
  x: {
    a: 'a',
    b: '[REDACTED]'
  }
}

I prepared #34 that resolves this issue.
Haven't checked the performance impact yet but will do asap.

Tried to set-up using fast-redact for redacting PII from logs. However the logs are unstructured and it's non-obvious the package doesn't support wildcarding depths in object paths rather than widths at specific depths.
e.g.

import fastRedact from 'fast-redact';

describe('fastRedact', () => {
  test('deep wildcard redaction', () => {
    const redact = fastRedact({ paths: ['*.firstName'] });
    const obj = {
      x: { firstName: 'redactme' },
      y: { a: { firstName: 'redactme' } },
      z: { c: { h: { firstName: 'redactme' } } },
    };

    expect(redact(obj)).toStrictEqual(
      JSON.stringify({
        x: { firstName: '[REDACTED]' },
        y: { a: { firstName: '[REDACTED]' } }, // is 'redactme
        z: { c: { h: { firstName: '[REDACTED]' } } }, // 'redactme'
      }),
    );
  });
});

I can get the above to work if I add paths: ['*.firstName', '*.*.firstName', '*.*.*.firstName'] but as these are unstructured logs, I'll never know the depth of the object beforehand

Have I missed something in the documentation to enable the depth wildcard traversal?

Using fast-redact is currently not possible with a CSP without unsafe-eval in the browser, an option to not use eval/Function at the cost of worse performance will be helpful for such environments.

That needs to be thoroughly commented. My eyes cross and I black out for some indeterminate time when I see it.

Hello, I want to redact mongo queries in my logs, eg

query: {
   'my.secret.token': 'cndqoncwqon',
}

I tried paths like paths: ["query['my.secret.token']"] but the validator complains

undefined:9
       if (o.query && o.query['my && o.query['my.secret && o.query['my.secret.token'] != null) {
                                              ^^
 
 SyntaxError: Unexpected identifier

any ideas ?
thanks in advance

I want to be able the redact a key in multiple levels. So i wrote this code:

const fastRedact = require('fast-redact');
const paths = ['*.d', '*.*.d', '*.*.*.d'];

const redact = fastRedact({
  paths,
});

const obj = {
  x: { c: { d: 'hide me', e: 'leave me be' } },
  y: { c: { d: 'and me', f: 'I want to live' } },
  z: { c: { d: 'and also I', g: 'I want to run in a stream' } },
};

console.log(redact(obj));
console.log(obj);

The output is:

{"x":{"c":{"d":"[REDACTED]","e":"leave me be"}},"y":{"c":{"d":"[REDACTED]","f":"I want to live"}},"z":{"c":{"d":"[REDACTED]","g":"I want to run in a stream"}}}
{
  x: { c: { d: '[REDACTED]', e: 'leave me be' } },
  y: { c: { d: '[REDACTED]', f: 'I want to live' } },
  z: { c: { d: '[REDACTED]', g: 'I want to run in a stream' } }
}

You can see that the original object is modified.

Seems like something is wrong with the nestedRestore and the nestedRedact functions.

When i added multiple levels that do not exist in the object. Seems like that nestedRedact with the specialSet functions doesn't build the store properly.

One of the things that threw me for a loop while giving the redact feature a spin in pino was the fact that it's not documented whether or not the redaction paths are case sensitive.

It turns out that they are. That makes it extremely burdensome to construct a comprehensive list for redacting logs across a wide organization. Consider socialsecuritynumber and the variations possible:

socialsecuritynumber
socialSecuritynumber
socialsecurityNumber
socialSecurityNumber

The argument here might be "well this is a code quality issue that should be caught or prevented," and that would be well justified. But across large orgs with varying teams, varying levels of skill, oversight, and caring, asserting code quality isn't a reasonable assertion.

First and foremost, the documentation needs to be updated to reflect the current state - paths are case-sensitive.

I'd love to see some consideration given to allowing for the search to be case-insensitive.

We've been using fast-redactto redact PII data from an event stream we get from a partner. These events are high volume and quite large (on the order of a few kilobytes). This service has been experiencing memory issues that (I think) I've traced back to fast-redact. Here is a minimum reproducible example:

import fastRedact from 'fast-redact';

const redactPaths = [ 'a', '*.a' ]

const event: Record<string, unknown> = {
  id: 1,
  a: {
    id: 2,
  },
};

const eventString = JSON.stringify(event)

const fr = fastRedact({
  paths: redactPaths,
  serialize: false,
});


fr({
  // MUST use a new object each time!
  payload: JSON.parse(eventString),
})
fr({
  // MUST use a new object each time!
  payload: JSON.parse(eventString),
})
fr({
  // MUST use a new object each time!
  payload: JSON.parse(eventString),
})
fr({
  // MUST use a new object each time!
  payload: JSON.parse(eventString),
})

Every call to the fr function accumulates a copy of the input object inside the this.secret object in the compiled Function against a key of '', the empty string. You can observe this by applying the following diff to this library at tag v3.3.0:

diff --git a/lib/redactor.js b/lib/redactor.js
index af58885..8f7d163 100644
--- a/lib/redactor.js
+++ b/lib/redactor.js
@@ -10,6 +10,7 @@ function redactor ({ secret, serialize, wcLen, strict, isCensorFct, censorFctTak
     if (typeof o !== 'object' || o == null) {
       ${strictImpl(strict, serialize)}
     }
+    console.log(["In generated function", this.secret['']])
     const { censor, secret } = this
     ${redactTmpl(secret, isCensorFct, censorFctTakesPath)}
     this.compileRestore()

Crudely, the above just dumps the contents of the this.secret[''] value, but it's enough to demonstrate that this array is appended to for every call to fr. Running the above reproducible example with the diff applied to the codebase yields the output:

[ 'In generated function', undefined ]
[
  'In generated function',
  [ { path: [Array], value: [Object], target: [Object] } ]
]
[
  'In generated function',
  [
    { path: [Array], value: [Object], target: [Object] },
    { path: [Array], value: [Object], target: [Object] }
  ]
]
[
  'In generated function',
  [
    { path: [Array], value: [Object], target: [Object] },
    { path: [Array], value: [Object], target: [Object] },
    { path: [Array], value: [Object], target: [Object] }
  ]
]

It's not clear what the fix is here, is this the fault of the wildcard parser for having a beforeStr value of the empty-string? Is it the fault of the compiled function that uses the wildcards? Or is it an issue with the specialSet function that actually appends to the array?

If I have a structure:

{
  headers: {
    host: "xxx",
    "user-agent": "xxx",
    "x-authorization": "xxx"
  }
}

How do I specify a path that redacts headers.x-authorization ?

Here's a test script I was using for something similar:

import * as F from 'fast-redact';
import { inspect } from 'util';

describe('Redact', () => {
    it('can redact', () => {
        const options: F.RedactOptions = {
            paths: ['authorization', 'abc."x-authorization"'],
            serialize: false
        };
        const original = {
            innocuous: 'public info',
            authorization: 'secret info',
            abc: {
                'x-authorization': 'another secret'
            }
        };
        const r = F(options);
        r(original);
        console.log(inspect(original, { depth: null }));
        expect(original.authorization).toEqual('[REDACTED]');
    });
});

I get:

    fast-redact – Invalid path (abc."x-authorization")

      15 |             }
      16 |         };
    > 17 |         const r = F(options);
         |                   ^

I tried other options - e.g. 'abc.x-authorization', but I couldn't come up with anything that worked.

A TypeError: Cannot set property 'xxx' of undefined happens in fact-redact when a redact path starts with a wildcard and the object being redacted contains a property with a null value.

Here's a way to reproduce the error. "fr.js" contains this code:

const fastRedact = require('fast-redact')
const fauxRequest = {
  foo: null
}

const redact = fastRedact({ paths: ['*.password']})

console.log(redact(fauxRequest))

and this is what happens when the code is run:

$ node fr.js
.../node_modules/fast-redact/lib/modifiers.js:37
    target[key] = value
                ^

TypeError: Cannot set property 'password' of undefined
    at Object.nestedRestore (.../node_modules/fast-redact/lib/modifiers.js:37:17)
    at Object.eval (eval at compileRestore (.../node_modules/fast-redact/lib/restorer.js:16:20), <anonymous>:13:17)
    at Object.eval (eval at redactor (.../node_modules/fast-redact/lib/redactor.js:9:18), <anonymous>:24:10)
    at Object.<anonymous> (.../fr.js:8:13)
    at Module._compile (internal/modules/cjs/loader.js:654:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:665:10)
    at Module.load (internal/modules/cjs/loader.js:566:32)
    at tryModuleLoad (internal/modules/cjs/loader.js:506:12)
    at Function.Module._load (internal/modules/cjs/loader.js:498:3)
    at Function.Module.runMain (internal/modules/cjs/loader.js:695:10)