logstruct 0.1.11 → 0.1.12

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 90d690080da4286690ca86f0d9eb5b9514483f2324898f07912d66015ec4269d
-  data.tar.gz: df38c5f2434cc5afae25606f77ab2d9a532c9d77c58f81bd558824907ed66418
+  metadata.gz: 3aec4782f7bcf89ea8cba8792210e1e5f04165221250178ed283196d7ac89c9d
+  data.tar.gz: 4b1d1ffc34a814f4131a43074a598fca7a14acb4ac4cc1ae41cb51f3f35125c2
 SHA512:
-  metadata.gz: f654b8b6b7ecf8114c08d4c2b3f9d0f97160bfbd44f60b89ffb08001fed4b186bf7c9697ea8ca1b9ac2d25071f481637e4b050ab4be01efac286d793c12cb7ff
-  data.tar.gz: 88f8fcf0c87b5e2ccd96152d8abb3de94aaeb952879a37c4cb4fdb84fa9fa858d7fb230f50a8e4d440e30e3a6746cb6bb7b0dc3abdd1dc5f7d95ddfbfed18f0b
+  metadata.gz: ab3a907bc346e681caefe09e8a5abda86b4724221722460a6376f13601c2c10dd6d066f5e523b7b1d6088afbb6db60b6a506d57c25b2c762aacb9e7a602ca2cc
+  data.tar.gz: 64812fee369aa713104846f69dea5ac17b93c12258ef619ff63c7c9726f51b79fc6d449e45e026d7cd46cc24441ed6a820386346be4df6655ae73974742c2bb9

data/CHANGELOG.md

@@ -9,6 +9,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
+## [0.1.12] - 2026-01-30
+
+### Added
+
+- **Security**: Default regex filter matchers for sensitive keys (password, token, secret, auth, cred, api_key, etc.)
+- **Security**: Job argument filtering for GoodJob/ActiveJob - respects `log_arguments?` class method
+- **Security**: SQL bind parameter filtering now detects JWT tokens and Bearer tokens
+
+### Fixed
+
+- **Security**: Reserved keys (src, evt, lvl, ts) in `additional_data` are now protected from being overwritten
+- **CI**: Fixed Ruby 4.0 bundler security error on GitHub Actions (world-writable gem directory)
+
 ## [0.1.11] - 2026-01-28
 
 ### Changed

data/lib/log_struct/builders/active_job.rb

@@ -21,9 +21,12 @@ module LogStruct
         job.respond_to?(:executions) ? job.executions : nil
       end
 
+      # Respect log_arguments? setting on job classes.
+      # Arguments are logged by default but can be opted-out per job class.
+      # When logged, sensitive keys are filtered by Formatter.process_values.
       sig { params(job: T.untyped).returns(T.nilable(T::Array[T.untyped])) }
       def self.safe_arguments(job)
-        return nil unless job.class.respond_to?(:log_arguments?)
+        return job.arguments unless job.class.respond_to?(:log_arguments?)
         job.class.log_arguments? ? job.arguments : nil
       end
 

data/lib/log_struct/config_struct/filters.rb

@@ -88,11 +88,32 @@ module LogStruct
       # Default: false
       prop :mac_addresses, T::Boolean, default: false
 
+      # Default regex pattern for matching sensitive keys.
+      # Matches keys containing: password, token, secret, auth, cred
+      # Also matches specific key patterns: api_key, secret_key, private_key, access_key, encryption_key
+      # Examples: access_token, api_key, auth_header, credentials
+      # Uses start/end of string or underscore/hyphen boundaries to prevent
+      # false positives like "keyboard" or "turkey" (which contain "key" mid-word)
+      # Note: "key" alone is too broad (matches cron_key, primary_key), so we only match
+      # specific sensitive key patterns
+      DEFAULT_SENSITIVE_KEY_PATTERN = T.let(
+        /(^|[_-])(password|token|secret|auth|cred)([_-]|$)|(^|[_-])(api|secret|private|access|encryption)_key([_-]|$)/i,
+        Regexp
+      )
+
       # Additional filter matchers built from Rails filter_parameters entries that aren't simple symbols.
       # Each matcher receives the key (String) and optional value, returning true when the pair should be filtered.
+      # By default, includes a regex matcher for common sensitive key patterns.
       prop :filter_matchers,
         T::Array[FilterMatcher],
-        factory: -> { [] }
+        factory: -> {
+          [
+            FilterMatcher.new(
+              callable: ->(key, _value) { DEFAULT_SENSITIVE_KEY_PATTERN.match?(key) },
+              label: "default_sensitive_pattern"
+            )
+          ]
+        }
     end
   end
 end

data/lib/log_struct/integrations/active_model_serializers.rb

@@ -31,8 +31,8 @@ module LogStruct
           LogStruct.info(
             LogStruct::Log::ActiveModelSerializers.new(
               message: "ams.render",
-              serializer: serializer&.to_s,
-              adapter: adapter&.to_s,
+              serializer: serializer&.name,
+              adapter: adapter&.class&.name,
               resource_class: resource&.class&.name,
               duration_ms: duration_ms,
               timestamp: started

data/lib/log_struct/integrations/active_record.rb

@@ -281,6 +281,12 @@ module LogStruct
         return true if value.match?(/\A[A-Za-z0-9+\/]{20,}={0,2}\z/)  # Base64
         return true if value.match?(/(password|secret|token|key|auth)/i)
 
+        # Filter JWT tokens (header.payload.signature format, starts with "ey")
+        return true if value.match?(/\Aey[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\z/)
+
+        # Filter Bearer tokens
+        return true if value.match?(/\ABearer\s+/i)
+
         false
       end
     end

data/lib/log_struct/integrations/good_job/log_subscriber.rb

@@ -148,11 +148,21 @@ module LogStruct
             job_id: job&.job_id,
             job_class: job&.job_class,
             queue_name: job&.queue_name&.to_sym,
-            arguments: job&.arguments,
+            arguments: safe_arguments(job),
             executions: execution&.executions
           )
         end
 
+        # Respect log_arguments? setting on job classes (consistent with ActiveJob behavior).
+        # Arguments are logged by default but can be opted-out per job class.
+        # When logged, sensitive keys are filtered by Formatter.process_values.
+        sig { params(job: T.untyped).returns(T.nilable(T::Array[T.untyped])) }
+        def safe_arguments(job)
+          return nil unless job
+          return job.arguments unless job.class.respond_to?(:log_arguments?)
+          job.class.log_arguments? ? job.arguments : nil
+        end
+
         # Calculate wait time from job creation to execution start
         sig { params(execution: T.untyped).returns(T.nilable(Float)) }
         def calculate_wait_time(execution)

data/lib/log_struct/shared/merge_additional_data_fields.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require_relative "interfaces/additional_data_field"
+require_relative "../enums/source"
 
 module LogStruct
   module Log
@@ -13,12 +14,24 @@ module LogStruct
         requires_ancestor { T::Struct }
         requires_ancestor { Interfaces::AdditionalDataField }
 
+        # Reserved keys that cannot be overwritten by additional_data.
+        # These are the core log structure fields that must not be modified.
+        RESERVED_KEYS = T.let(%i[src evt lvl ts].freeze, T::Array[Symbol])
+
         sig { params(hash: T::Hash[Symbol, T.untyped]).void }
         def merge_additional_data_fields(hash)
           ad = additional_data
           return unless ad
           ad.each do |key, value|
-            hash[key.to_sym] = value
+            sym_key = key.to_sym
+            if RESERVED_KEYS.include?(sym_key)
+              LogStruct.handle_exception(
+                ArgumentError.new("additional_data attempted to overwrite reserved key: #{sym_key}"),
+                source: Source::Internal
+              )
+              next
+            end
+            hash[sym_key] = value
           end
         end
       end

data/lib/log_struct/version.rb

@@ -2,5 +2,5 @@
 # frozen_string_literal: true
 
 module LogStruct
-  VERSION = "0.1.11"
+  VERSION = "0.1.12"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: logstruct
 version: !ruby/object:Gem::Version
-  version: 0.1.11
+  version: 0.1.12
 platform: ruby
 authors:
 - DocSpring