redacting-logger 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. checksums.yaml +7 -0
  2. data/LICENSE +21 -0
  3. data/README.md +84 -0
  4. data/lib/patterns/default.rb +12 -0
  5. data/lib/redacting_logger.rb +57 -0
  6. data/lib/version.rb +7 -0
  7. data/redacting-logger.gemspec +31 -0
  8. metadata +68 -0
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA256:
3
+ metadata.gz: '0913f102f2fa739214c54f742359f8771cc84212e9a8fcdd05eeff041b54a42d'
4
+ data.tar.gz: 8bc325f2c2fb50c9e32f70abe8ba4d6ac8236597a8a3bb43c90179cdb516ea53
5
+ SHA512:
6
+ metadata.gz: 5b3abad7e1a467c4bf63ee3aea78a790b04cd83799199c79bf91e6e1ae9617f6081cd83bcb09acafaee5e0ba579028ffb78a89f75b289bc0924fde6918eb92a7
7
+ data.tar.gz: f5ea63ec3062cc32284a73b05f991ae5b05e1987cfa0c009b7d3d3629cacd9854e71e375f099e5f5b0cfc2421e7f38964b9b11e32d0abd43547b897837b8c676
data/LICENSE ADDED
@@ -0,0 +1,21 @@
1
+ MIT License
2
+
3
+ Copyright (c) 2023 Grant Birkinbine
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
data/README.md ADDED
@@ -0,0 +1,84 @@
1
+ # redacting-logger
2
+
3
+ [![test](https://github.com/github/redacting-logger/actions/workflows/test.yml/badge.svg)](https://github.com/github/redacting-logger/actions/workflows/test.yml) [![lint](https://github.com/github/redacting-logger/actions/workflows/lint.yml/badge.svg)](https://github.com/github/redacting-logger/actions/workflows/lint.yml) [![build](https://github.com/github/redacting-logger/actions/workflows/build.yml/badge.svg)](https://github.com/github/redacting-logger/actions/workflows/build.yml) [![CodeQL](https://github.com/github/redacting-logger/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/github/redacting-logger/actions/workflows/codeql-analysis.yml) [![release](https://github.com/github/redacting-logger/actions/workflows/release.yml/badge.svg)](https://github.com/github/redacting-logger/actions/workflows/release.yml)
4
+
5
+ A redacting Ruby logger to prevent the leaking of secrets via logs
6
+
7
+ > This Gem wraps the official Ruby [`logger`](https://github.com/ruby/logger) utility
8
+
9
+ ![Gem](docs/assets/gem.png)
10
+
11
+ ## Installation 💎
12
+
13
+ You can download this Gem from [GitHub Packages](https://github.com/github/redacting-logger/pkgs/rubygems/redacting-logger) or [RubyGems](https://rubygems.org/gems/redacting-logger)
14
+
15
+ Via a Gemfile:
16
+
17
+ ```ruby
18
+ source "https://rubygems.org"
19
+
20
+ gem "redacting-logger", "~> X.X.X" # Replace X.X.X with the latest version
21
+ ```
22
+
23
+ ## Usage 💻
24
+
25
+ ### Basic
26
+
27
+ ```ruby
28
+ require "redacting_logger"
29
+
30
+ # Create a new logger
31
+ logger = RedactingLogger.new(redact_patterns: [/topsecret/])
32
+
33
+ # Log a message that contains some redacted pattern
34
+ logger.info("This is a topsecret message.")
35
+ ```
36
+
37
+ This will output:
38
+
39
+ ```text
40
+ I, [timestamp] INFO -- : This is a [REDACTED] message.
41
+ ```
42
+
43
+ ### Advanced
44
+
45
+ ```ruby
46
+ require "redacting_logger"
47
+
48
+ # Create a new logger
49
+ logger = RedactingLogger.new(
50
+ $stdout, # The device to log to (defaults to $stdout if not provided)
51
+ redact_patterns: [/REDACTED_PATTERN1/, /REDACTED_PATTERN2/], # An array of Regexp patterns to redact from the logs
52
+ level: Logger::INFO, # The log level to use
53
+ redacted_msg: "[REDACTED]", # The message to replace the redacted patterns with
54
+ use_default_patterns: true # Whether to use the default built-in patterns or not
55
+ )
56
+
57
+ # Log a message that contains some redacted patterns
58
+ logger.info("This is a message with a REDACTED_PATTERN1 and REDACTED_PATTERN2 in it.")
59
+ ```
60
+
61
+ This will output:
62
+
63
+ ```text
64
+ I, [timestamp] INFO -- : This is a message with a [REDACTED] and [REDACTED] in it.
65
+ ```
66
+
67
+ ## Default Redaction Patterns
68
+
69
+ This Gem comes pre-built with a few redaction patterns to help you get started. These patterns can be located in [`lib/patterns/default.rb`](lib/patterns/default.rb)
70
+
71
+ A few examples of these patterns are:
72
+
73
+ - GitHub Personal Access Tokens
74
+ - GitHub Temporary Actions Tokens
75
+ - RSA Private Keys
76
+ - JWT Tokens
77
+
78
+ You can disable these default patterns with:
79
+
80
+ ```ruby
81
+ logger = RedactingLogger.new(
82
+ use_default_patterns: false # Whether to use the default built-in patterns or not
83
+ )
84
+ ```
data/lib/patterns/default.rb ADDED
@@ -0,0 +1,12 @@
1
+ # frozen_string_literal: true
2
+
3
+ # This module contains the default patterns to redact.
4
+ module Patterns
5
+ DEFAULT = [
6
+ /ghp_[A-Za-z0-9]{36,}|[0-9A-Fa-f]{40,}/, # GitHub Personal Access Token
7
+ /github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}/, # GitHub Personal Access Token (fine-grained)
8
+ /ghs_[a-zA-Z0-9]{36}/, # Temporary GitHub Actions Tokens
9
+ /\b(ey[a-zA-Z0-9]{17,}\.ey[a-zA-Z0-9\/\\_-]{17,}\.(?:[a-zA-Z0-9\/\\_-]{10,}={0,2})?)(?:['|\"|\n|\r|\s|\x60|;]|$)/, # JWT tokens
10
+ /(?i)-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY( BLOCK)?-----[\s\S-]*KEY( BLOCK)?----/ # private keys
11
+ ].freeze
12
+ end
data/lib/redacting_logger.rb ADDED
@@ -0,0 +1,57 @@
1
+ # frozen_string_literal: true
2
+
3
+ require "logger"
4
+ require_relative "patterns/default"
5
+
6
+ # RedactingLogger is a custom logger that extends the standard Logger class.
7
+ # It redacts specified patterns in the log messages.
8
+ class RedactingLogger < Logger
9
+ # Initializes a new instance of the RedactingLogger class.
10
+ #
11
+ # @param logdev [Object] The log device. Defaults to $stdout.
12
+ # @param shift_age [Integer] The number of old log files to keep.
13
+ # @param shift_size [Integer] The maximum logfile size.
14
+ # @param redact_patterns [Array<String>] The patterns to redact from the log messages. Defaults to [].
15
+ # @param redacted_msg [String] The message to replace the redacted patterns with.
16
+ # @param use_default_patterns [Boolean] Whether to use the default patterns or not.
17
+ # @param kwargs [Hash] Additional options to pass to the Logger class.
18
+ #
19
+ # logdev, shift_age, and shift_size are all using the defaults from the standard Logger class. -> https://github.com/ruby/logger/blob/0996f90650fd95718f0ffe835b965de18654b71c/lib/logger.rb#L578-L580
20
+ def initialize(
21
+ logdev = $stdout,
22
+ shift_age = 0,
23
+ shift_size = 1048576,
24
+ redact_patterns: [],
25
+ redacted_msg: "[REDACTED]",
26
+ use_default_patterns: true,
27
+ **kwargs
28
+ )
29
+ super(logdev, shift_age, shift_size, **kwargs)
30
+ @redact_patterns = redact_patterns
31
+ @redacted_msg = redacted_msg
32
+ @redact_patterns += Patterns::DEFAULT if use_default_patterns
33
+ end
34
+
35
+ # Adds a message to the log.
36
+ #
37
+ # @param severity [Integer] The severity level of the message.
38
+ # @param message [String] The message to log.
39
+ # @param progname [String] The name of the program.
40
+ def add(severity, message = nil, progname = nil)
41
+ message, progname = yield if block_given?
42
+
43
+ if message
44
+ @redact_patterns.each do |pattern|
45
+ message = message.to_s.gsub(pattern, @redacted_msg)
46
+ end
47
+ end
48
+
49
+ if progname
50
+ @redact_patterns.each do |pattern|
51
+ progname = progname.to_s.gsub(pattern, @redacted_msg)
52
+ end
53
+ end
54
+
55
+ super(severity, message, progname)
56
+ end
57
+ end
data/lib/version.rb ADDED
@@ -0,0 +1,7 @@
1
+ # frozen_string_literal: true
2
+
3
+ module RedactingLogger
4
+ module Version
5
+ VERSION = "1.0.0"
6
+ end
7
+ end
data/redacting-logger.gemspec ADDED
@@ -0,0 +1,31 @@
1
+ # frozen_string_literal: true
2
+
3
+ require_relative "lib/version"
4
+
5
+ Gem::Specification.new do |spec|
6
+ spec.name = "redacting-logger"
7
+ spec.version = RedactingLogger::Version::VERSION
8
+ spec.authors = ["GitHub", "GitHub Security"]
9
+ spec.email = "opensource@github.com"
10
+ spec.license = "MIT"
11
+
12
+ spec.summary = "A redacting Ruby logger to prevent the leaking of secrets via logs"
13
+ spec.description = <<~SPEC_DESC
14
+ A redacting Ruby logger to prevent the leaking of secrets via logs
15
+ SPEC_DESC
16
+
17
+ spec.homepage = "https://github.com/github/redacting-logger"
18
+ spec.metadata = {
19
+ "source_code_uri" => "https://github.com/github/redacting-logger",
20
+ "documentation_uri" => "https://github.com/github/redacting-logger",
21
+ "bug_tracker_uri" => "https://github.com/github/redacting-logger/issues"
22
+ }
23
+
24
+ spec.add_dependency "logger", "~> 1.6"
25
+
26
+ spec.required_ruby_version = Gem::Requirement.new(">= 3.0.0")
27
+
28
+ spec.files = %w[LICENSE README.md redacting-logger.gemspec]
29
+ spec.files += Dir.glob("lib/**/*.rb")
30
+ spec.require_paths = ["lib"]
31
+ end
metadata ADDED
@@ -0,0 +1,68 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: redacting-logger
3
+ version: !ruby/object:Gem::Version
4
+ version: 1.0.0
5
+ platform: ruby
6
+ authors:
7
+ - GitHub
8
+ - GitHub Security
9
+ autorequire:
10
+ bindir: bin
11
+ cert_chain: []
12
+ date: 2023-11-22 00:00:00.000000000 Z
13
+ dependencies:
14
+ - !ruby/object:Gem::Dependency
15
+ name: logger
16
+ requirement: !ruby/object:Gem::Requirement
17
+ requirements:
18
+ - - "~>"
19
+ - !ruby/object:Gem::Version
20
+ version: '1.6'
21
+ type: :runtime
22
+ prerelease: false
23
+ version_requirements: !ruby/object:Gem::Requirement
24
+ requirements:
25
+ - - "~>"
26
+ - !ruby/object:Gem::Version
27
+ version: '1.6'
28
+ description: 'A redacting Ruby logger to prevent the leaking of secrets via logs
29
+
30
+ '
31
+ email: opensource@github.com
32
+ executables: []
33
+ extensions: []
34
+ extra_rdoc_files: []
35
+ files:
36
+ - LICENSE
37
+ - README.md
38
+ - lib/patterns/default.rb
39
+ - lib/redacting_logger.rb
40
+ - lib/version.rb
41
+ - redacting-logger.gemspec
42
+ homepage: https://github.com/github/redacting-logger
43
+ licenses:
44
+ - MIT
45
+ metadata:
46
+ source_code_uri: https://github.com/github/redacting-logger
47
+ documentation_uri: https://github.com/github/redacting-logger
48
+ bug_tracker_uri: https://github.com/github/redacting-logger/issues
49
+ post_install_message:
50
+ rdoc_options: []
51
+ require_paths:
52
+ - lib
53
+ required_ruby_version: !ruby/object:Gem::Requirement
54
+ requirements:
55
+ - - ">="
56
+ - !ruby/object:Gem::Version
57
+ version: 3.0.0
58
+ required_rubygems_version: !ruby/object:Gem::Requirement
59
+ requirements:
60
+ - - ">="
61
+ - !ruby/object:Gem::Version
62
+ version: '0'
63
+ requirements: []
64
+ rubygems_version: 3.4.10
65
+ signing_key:
66
+ specification_version: 4
67
+ summary: A redacting Ruby logger to prevent the leaking of secrets via logs
68
+ test_files: []