express-bunyan-logger icon indicating copy to clipboard operation
express-bunyan-logger copied to clipboard

Published 20 hours ago verified publisher icon villadora

Obfuscation potentially mutates req/res data

Open xdissent opened this issue 7 years ago • 1 comments

If you add an obfuscate option like obfuscate: ['body.password'] and attempt to access req.body.password after the req has been logged (immediate: true for example), you'll receive [HIDDEN] as the value for req.body.password. The logger should deep copy the req/res data (body, headers), rather than assigning, to prevent mutation.

xdissent avatar May 18 '17 16:05 xdissent

We provided an optimization to do work after express returned and turns out our sensitive but important information is clobbered by [HIDDEN] string.

jingram-classy avatar Oct 24 '17 22:10 jingram-classy