pinojs / pino-noir Goto Github PK

🌲 pino log redaction 🍷

License: MIT License

JavaScript 100.00%

pino-noir's Introduction

pino.io project

Running Locally

git clone https://github.com/pinojs/pinojs
cd pinojs
npm install
npm start

pino-noir's People

Contributors

Stargazers

Watchers

Forkers

empia mrchief hbarcelos combizs kody-abe feugy temsa todd vinod827

pino-noir's Issues

Is the use of eval still the best approach?

I noticed that eval is used in pino-noir

// we use eval to pre-compile the redactor function
  // this gives us up 100's of ms (per 10000ops) in some
  // cases (deep nesting, wildcards). This is certainly
  // safe in this case, there is not user input here.
  /* eslint no-eval: 0 */
  function factory (paths) {
    var redactor
    eval('redactor = function redactor (o) { return redact(o, ' + JSON.stringify(paths) + ') }')
    redact() // shh linter
    return redactor

After reading around a bit, I wasn't sure how eval was being used here to precompile the redactor function, and how it was being more efficient/faster?

Also asking since I read this on MDN:

eval() is also slower than the alternatives, since it has to invoke the JavaScript interpreter, while many other constructs are optimized by modern JS engines.

is there are any benchmarks on using eval vs not using it?

Pino-noir logs the whole req object

We are using [email protected], [email protected] and the newest pino-noir. We have following log structure (showing only important properties):

{
  "req": {
    "headers": {
      "x-forwarded-for": "11.11.11.11",
      "authorization": "Basic foobar=="
    }
  },
  "res": {
    "statusCode": 200
  }
}

We want to redact the values in the authorization and x-forwarded-for headers:

const noir = pinoNoir(['req.headers.authorization', 'req.headers.x-forwarded-for'], '[redacted]')

app.use(pinoLogger({
    name: 'logger',
    serializers: noir
}))

This, however creates HUUUGE logs, it basically does a JSON.stringify on the req object (about 500 lines of output per log). What am I missing here? Is it due to the old restify version?

Add example (or even test case)?

I had to write the following test application to determine if my desired use case would work. I couldn't find it in the documentation or tests. Specifically, I needed to know if I could specify serializers in addition to the ones returned by pino-noir. So I'm wondering if we think this should be added to the documentation at the least:

'use strict'

const app = require('express')()
const pino = require('pino')
const noir = require('pino-noir')(['req.headers.host'])
const serializers = {
  err: pino.stdSerializers.err
}
const logger = require('express-pino-logger')({
  level: 'debug',
  serializers: Object.assign({}, serializers, noir)
})

app.use(logger)

app.get('/', (req, reply) => {
  req.log.error(Error('this is a test'))
  reply.send('hello world')
})

app.listen(3000)

Also, holy 🐄!, the logged express request object is huge.

Possible to redact partially?

Is it possible to redact partially, like the way credit card numbers or SSN number are done?

E.g.

{ secret: "1234567890" } 

// outputs

{ secret: "xxxxxx7890" }

This will be very helpful to identify potential issues without delving the entire secret.

I think the easiest and most flexible way would be to accept a function? Something like this:

censor = (value) => {
// apply mask
return maskedValue
}

I understand this will cause a dip in performance which should be acceptable since this will be opt-in. And if there's a way to do it without sacrificing performance, even better!

Thoughts?

Partial wildcard matching

My team leverages a few fields in our headers for authentication. Namely
x-api-key, x-api-secret, and x-api-password

Currently, we can redact all of those by providing the three individual strings to pino, but I was wondering if there's a way we could use the wildcard character to pass pino something like req.headers["x-api-*"] instead?

Is this package still recommended?

It seems that Pino now has redaction in core:
https://github.com/pinojs/pino/blob/master/docs/redaction.md

Is there still a use case for this package?

Massive log messages

Quite possibly me but just thought I would check. Following the example for express in the readme.md, my log message post redaction is massive, essentially unusable.

This something I did or is that what to expect from pino-noir.

Thanks

pino noir crashing hapi server

pino noir crashing hapi server.
It could be related to - #1

const pino = require('hapi-pino');
const pinoNoir = require('pino-noir');
...
{
      register: pino,
      options: {
        serializers: pinoNoir([
          'created',
          'req.headers.authorization'
        ], '[Redacted]')
      }
    },```

Versions i'm using :-

├─┬ [email protected]
│ └─┬ [email protected]
├── [email protected]

Wildcards for intermmediate paths

I was making some tests here and figured out that wildcards * only work in tail position.

Currently we have to do something like this:

[
    'err.options.auth.password',
    'options.auth.password',
    'auth.password'
]

It would be very nice if we could do something as:

*.password: objects containing password key in the first level.
err.*.password: objects containing err key in the first level and password key on the third.
**.password: objects containing password key in any level (possible performance hit)

'pino-noir' is a very clever name

that's it. ███ job.

node version ███
win10

pino-noir hangs the server (redacting req.headers)

Tried to use pino-noir in the following way:

  opts.serializers = noir([
    'created',
    'req.headers.authorization'
  ], '[Redacted]')

Server hangs.
Note that the created property is redacted on the server start event and the bug seems to kick in when having to deal with the request headers.