pino-http icon indicating copy to clipboard operation
pino-http copied to clipboard
verified publisher icon pinojs

Pino Redact does not work with Pino HTTP customAttributeKeys.

Open sethtomy opened this issue 3 years ago • 7 comments

I currently am using pino-http to map to an ECS format. When doing so though my redactions are not taking place.

redact: {
    paths: ['http.request.headers.authorization'],
    censor: '***REDACTED***',
  },
  customAttributeKeys: {
    req: 'http.request',
  },

sethtomy avatar Aug 01 '22 13:08 sethtomy

Thanks for reporting!

Can you provide steps to reproduce? We often need a reproducible example, e.g. some code that allows someone else to recreate your problem by just copying and pasting it. If it involves more than a couple of different file, create a new repository on GitHub and add a link to that.

mcollina avatar Aug 01 '22 19:08 mcollina

Hey @mcollina, glad to help! It's quite small to reproduce so I'll post here. If it's too much trouble I'm more than happy to put in a repo as well, just lmk.

const http = require('http');
const server = http.createServer(handle);

// "pino-http": "^8.2.0"
const logger = require('pino-http')({
    redact: {
        paths: ['http.request.headers.authorization'],
        censor: '***REDACTED***',
    },
    customAttributeKeys: {
        req: 'http.request',
    },
});

function handle(req, res) {
    logger(req, res)
    req.log.info('hello');
    res.end('world');
}

server.listen(3000)

curl localhost:3000 -v -H "Authorization: Basic foo.bar"

# results in server logs
{..."http.request":{..."headers":{..."authorization":"Basic foo.bar"...}

sethtomy avatar Aug 01 '22 20:08 sethtomy

^ Not sure if it helps but using the pre "customAttributeKeys" path does not redact either.

Additionally if you think it's low hanging fruit for an open source newbie feel free to point me in the direction and I'll make an attempt at it.

sethtomy avatar Aug 01 '22 20:08 sethtomy

I'm not using this module.. if you'd like this fixed I'd love to review a PR.

mcollina avatar Aug 02 '22 10:08 mcollina

@sethtomy Your example doesn't work because pino assumes that it should redact an object with the given structure:
{ http: { request: { headers: { authorization: "" }}}} But in your case it's:
{ "http.request": { headers: { authorization: "" }}}

So to make it work, you just need to rewrite the path or use a key without dots in name:

redact: {
    paths: ['["http.request"].headers.authorization'],
    censor: '***REDACTED***',
},
customAttributeKeys: {
    req: 'http.request',
},

baterson avatar Oct 06 '22 14:10 baterson

I had a same use case. I think you need to pass pino logger instance with redact options to pino-http

This is what I have thats working for me for an express based server

const logger = require('pino-http')({
  logger: pino({
     redact: ['req.headers.authorization'],
  }),
})

You can just update the path req.headers.authorization with your path http.request.headers.authorization

RohitRox avatar Oct 19 '22 18:10 RohitRox

@RohitRox thank you for responding. Unfortunately that does not seem to work in combination with "customAttributeKeys".

@baterson that works perfectly! If you don't mind, for my curiosity, I'm interested in how that's working. A took ~ an hour to look into the issue myself but Streams unfortunately are not my strong suit (I need to learn :)) How is the dot notation for 'http.request.headers.authorization' structurally different from '["http.request"].headers.authorization'. Is there something special around that first "http.request" key?

sethtomy avatar Nov 04 '22 15:11 sethtomy