Add basic sanitization to logs (#41)

mattermost · Aug 10, 2023 · 2769769 · 2769769
1 parent 0b2d662
commit 2769769
Show file tree

Hide file tree

Showing 5 changed files with 66 additions and 6 deletions.
diff --git a/build/entrypoint.sh b/build/entrypoint.sh
@@ -61,6 +61,9 @@ RECORDER_USER=calls
 # Give permission to write recording files.
 chown -R $RECORDER_USER:$RECORDER_USER /recs
 
+# Turn off trace flag so that we avoid logging all the env variables.
+set +x
+
 # Run service as unprivileged user.
 runuser -l $RECORDER_USER -c \
   "SITE_URL=$SITE_URL \
@@ -78,6 +81,9 @@ runuser -l $RECORDER_USER -c \
   XDG_RUNTIME_DIR=/home/$RECORDER_USER/.cache/xdgr \
   /bin/bash -c '/opt/calls-recorder/bin/calls-recorder; echo \$? > ${RECORDER_EXIT_CODE_FILE}'" &
 
+# Turn track flag back on
+set -x
+
 # Wait forever
 wait ${!}
 

diff --git a/build/pkgs_list b/build/pkgs_list
@@ -1,9 +1,9 @@
 ca-certificates=20230311
-chromium=115.0.5790.102-2
-chromium-driver=115.0.5790.102-2
-chromium-sandbox=115.0.5790.102-2
-ffmpeg=7:6.0-4
+chromium=115.0.5790.170-1
+chromium-driver=115.0.5790.170-1
+chromium-sandbox=115.0.5790.170-1
+ffmpeg=7:6.0-5
 fonts-recommended=1
 pulseaudio=16.1+dfsg1-2+b1
 wget=1.21.3-1+b2
-xvfb=2:21.1.7-3
+xvfb=2:21.1.8-1
diff --git a/cmd/recorder/recorder.go b/cmd/recorder/recorder.go
@@ -125,7 +125,8 @@ func (rec *Recorder) runBrowser(recURL string) error {
 			}
 
 			str := fmt.Sprintf("chrome console %s %s", ev.Type.String(), strings.Join(args, " "))
-			log.Printf(str)
+
+			log.Printf(sanitizeConsoleLog(str))
 		}
 	})
 

diff --git a/cmd/recorder/utils.go b/cmd/recorder/utils.go
@@ -0,0 +1,13 @@
+package main
+
+import (
+	"regexp"
+)
+
+var (
+	icePasswordRE = regexp.MustCompile(`ice-pwd:[\w|\+|/]+`)
+)
+
+func sanitizeConsoleLog(str string) string {
+	return icePasswordRE.ReplaceAllString(str, "ice-pwd:XXX")
+}
diff --git a/cmd/recorder/utils_test.go b/cmd/recorder/utils_test.go
@@ -0,0 +1,40 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestSanitizeConsoleLog(t *testing.T) {
+	tcs := []struct {
+		name     string
+		input    string
+		expected string
+	}{
+		{
+			name: "empty string",
+		},
+		{
+			name:     "alphanumeric",
+			input:    "ice-pwd:aBc123",
+			expected: "ice-pwd:XXX",
+		},
+		{
+			name:     "special chars",
+			input:    "ice-pwd:/aBc+1/2",
+			expected: "ice-pwd:XXX",
+		},
+		{
+			name:     "with ending",
+			input:    "ice-pwd:abc123\\rtest",
+			expected: "ice-pwd:XXX\\rtest",
+		},
+	}
+
+	for _, tc := range tcs {
+		t.Run(tc.name, func(t *testing.T) {
+			require.Equal(t, tc.expected, sanitizeConsoleLog(tc.input))
+		})
+	}
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -125,7 +125,8 @@ func (rec *Recorder) runBrowser(recURL string) error { @@
     			}
     			str := fmt.Sprintf("chrome console %s %s", ev.Type.String(), strings.Join(args, " "))
-    			log.Printf(str)
+    			log.Printf(sanitizeConsoleLog(str))
     		}
     	})
@@ Expand Down @@