redacting-logger 1.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (8) hide show
  1. checksums.yaml +7 -0
  2. data/LICENSE +21 -0
  3. data/README.md +84 -0
  4. data/lib/patterns/default.rb +12 -0
  5. data/lib/redacting_logger.rb +57 -0
  6. data/lib/version.rb +7 -0
  7. data/redacting-logger.gemspec +31 -0
  8. metadata +68 -0
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA256:
3
+ metadata.gz: '0913f102f2fa739214c54f742359f8771cc84212e9a8fcdd05eeff041b54a42d'
4
+ data.tar.gz: 8bc325f2c2fb50c9e32f70abe8ba4d6ac8236597a8a3bb43c90179cdb516ea53
5
+ SHA512:
6
+ metadata.gz: 5b3abad7e1a467c4bf63ee3aea78a790b04cd83799199c79bf91e6e1ae9617f6081cd83bcb09acafaee5e0ba579028ffb78a89f75b289bc0924fde6918eb92a7
7
+ data.tar.gz: f5ea63ec3062cc32284a73b05f991ae5b05e1987cfa0c009b7d3d3629cacd9854e71e375f099e5f5b0cfc2421e7f38964b9b11e32d0abd43547b897837b8c676
data/LICENSE ADDED
@@ -0,0 +1,21 @@
1
+ MIT License
2
+
3
+ Copyright (c) 2023 Grant Birkinbine
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
data/README.md ADDED
@@ -0,0 +1,84 @@
1
+ # redacting-logger
2
+
3
+ [![test](https://github.com/github/redacting-logger/actions/workflows/test.yml/badge.svg)](https://github.com/github/redacting-logger/actions/workflows/test.yml) [![lint](https://github.com/github/redacting-logger/actions/workflows/lint.yml/badge.svg)](https://github.com/github/redacting-logger/actions/workflows/lint.yml) [![build](https://github.com/github/redacting-logger/actions/workflows/build.yml/badge.svg)](https://github.com/github/redacting-logger/actions/workflows/build.yml) [![CodeQL](https://github.com/github/redacting-logger/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/github/redacting-logger/actions/workflows/codeql-analysis.yml) [![release](https://github.com/github/redacting-logger/actions/workflows/release.yml/badge.svg)](https://github.com/github/redacting-logger/actions/workflows/release.yml)
4
+
5
+ A redacting Ruby logger to prevent the leaking of secrets via logs
6
+
7
+ > This Gem wraps the official Ruby [`logger`](https://github.com/ruby/logger) utility
8
+
9
+ ![Gem](docs/assets/gem.png)
10
+
11
+ ## Installation 💎
12
+
13
+ You can download this Gem from [GitHub Packages](https://github.com/github/redacting-logger/pkgs/rubygems/redacting-logger) or [RubyGems](https://rubygems.org/gems/redacting-logger)
14
+
15
+ Via a Gemfile:
16
+
17
+ ```ruby
18
+ source "https://rubygems.org"
19
+
20
+ gem "redacting-logger", "~> X.X.X" # Replace X.X.X with the latest version
21
+ ```
22
+
23
+ ## Usage 💻
24
+
25
+ ### Basic
26
+
27
+ ```ruby
28
+ require "redacting_logger"
29
+
30
+ # Create a new logger
31
+ logger = RedactingLogger.new(redact_patterns: [/topsecret/])
32
+
33
+ # Log a message that contains some redacted pattern
34
+ logger.info("This is a topsecret message.")
35
+ ```
36
+
37
+ This will output:
38
+
39
+ ```text
40
+ I, [timestamp] INFO -- : This is a [REDACTED] message.
41
+ ```
42
+
43
+ ### Advanced
44
+
45
+ ```ruby
46
+ require "redacting_logger"
47
+
48
+ # Create a new logger
49
+ logger = RedactingLogger.new(
50
+ $stdout, # The device to log to (defaults to $stdout if not provided)
51
+ redact_patterns: [/REDACTED_PATTERN1/, /REDACTED_PATTERN2/], # An array of Regexp patterns to redact from the logs
52
+ level: Logger::INFO, # The log level to use
53
+ redacted_msg: "[REDACTED]", # The message to replace the redacted patterns with
54
+ use_default_patterns: true # Whether to use the default built-in patterns or not
55
+ )
56
+
57
+ # Log a message that contains some redacted patterns
58
+ logger.info("This is a message with a REDACTED_PATTERN1 and REDACTED_PATTERN2 in it.")
59
+ ```
60
+
61
+ This will output:
62
+
63
+ ```text
64
+ I, [timestamp] INFO -- : This is a message with a [REDACTED] and [REDACTED] in it.
65
+ ```
66
+
67
+ ## Default Redaction Patterns
68
+
69
+ This Gem comes pre-built with a few redaction patterns to help you get started. These patterns can be located in [`lib/patterns/default.rb`](lib/patterns/default.rb)
70
+
71
+ A few examples of these patterns are:
72
+
73
+ - GitHub Personal Access Tokens
74
+ - GitHub Temporary Actions Tokens
75
+ - RSA Private Keys
76
+ - JWT Tokens
77
+
78
+ You can disable these default patterns with:
79
+
80
+ ```ruby
81
+ logger = RedactingLogger.new(
82
+ use_default_patterns: false # Whether to use the default built-in patterns or not
83
+ )
84
+ ```
data/lib/patterns/default.rb ADDED
@@ -0,0 +1,12 @@
1
+ # frozen_string_literal: true
2
+
3
+ # This module contains the default patterns to redact.
4
+ module Patterns
5
+ DEFAULT = [
6
+ /ghp_[A-Za-z0-9]{36,}|[0-9A-Fa-f]{40,}/, # GitHub Personal Access Token
7
+ /github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}/, # GitHub Personal Access Token (fine-grained)
8
+ /ghs_[a-zA-Z0-9]{36}/, # Temporary GitHub Actions Tokens
9
+ /\b(ey[a-zA-Z0-9]{17,}\.ey[a-zA-Z0-9\/\\_-]{17,}\.(?:[a-zA-Z0-9\/\\_-]{10,}={0,2})?)(?:['|\"|\n|\r|\s|\x60|;]|$)/, # JWT tokens
10
+ /(?i)-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY( BLOCK)?-----[\s\S-]*KEY( BLOCK)?----/ # private keys
11
+ ].freeze
12
+ end
data/lib/redacting_logger.rb ADDED
@@ -0,0 +1,57 @@
1
+ # frozen_string_literal: true
2
+
3
+ require "logger"
4
+ require_relative "patterns/default"
5
+
6
+ # RedactingLogger is a custom logger that extends the standard Logger class.
7
+ # It redacts specified patterns in the log messages.
8
+ class RedactingLogger < Logger
9
+ # Initializes a new instance of the RedactingLogger class.
10
+ #
11
+ # @param logdev [Object] The log device. Defaults to $stdout.
12
+ # @param shift_age [Integer] The number of old log files to keep.
13
+ # @param shift_size [Integer] The maximum logfile size.
14
+ # @param redact_patterns [Array<String>] The patterns to redact from the log messages. Defaults to [].
15
+ # @param redacted_msg [String] The message to replace the redacted patterns with.
16
+ # @param use_default_patterns [Boolean] Whether to use the default patterns or not.
17
+ # @param kwargs [Hash] Additional options to pass to the Logger class.
18
+ #
19
+ # logdev, shift_age, and shift_size are all using the defaults from the standard Logger class. -> https://github.com/ruby/logger/blob/0996f90650fd95718f0ffe835b965de18654b71c/lib/logger.rb#L578-L580
20
+ def initialize(
21
+ logdev = $stdout,
22
+ shift_age = 0,
23
+ shift_size = 1048576,
24
+ redact_patterns: [],
25
+ redacted_msg: "[REDACTED]",
26
+ use_default_patterns: true,
27
+ **kwargs
28
+ )
29
+ super(logdev, shift_age, shift_size, **kwargs)
30
+ @redact_patterns = redact_patterns
31
+ @redacted_msg = redacted_msg
32
+ @redact_patterns += Patterns::DEFAULT if use_default_patterns
33
+ end
34
+
35
+ # Adds a message to the log.
36
+ #
37
+ # @param severity [Integer] The severity level of the message.
38
+ # @param message [String] The message to log.
39
+ # @param progname [String] The name of the program.
40
+ def add(severity, message = nil, progname = nil)
41
+ message, progname = yield if block_given?
42
+
43
+ if message
44
+ @redact_patterns.each do |pattern|
45
+ message = message.to_s.gsub(pattern, @redacted_msg)
46
+ end
47
+ end
48
+
49
+ if progname
50
+ @redact_patterns.each do |pattern|
51
+ progname = progname.to_s.gsub(pattern, @redacted_msg)
52
+ end
53
+ end
54
+
55
+ super(severity, message, progname)
56
+ end
57
+ end
data/lib/version.rb ADDED
@@ -0,0 +1,7 @@
1
+ # frozen_string_literal: true
2
+
3
+ module RedactingLogger
4
+ module Version
5
+ VERSION = "1.0.0"
6
+ end
7
+ end
data/redacting-logger.gemspec ADDED
@@ -0,0 +1,31 @@
1
+ # frozen_string_literal: true
2
+
3
+ require_relative "lib/version"
4
+
5
+ Gem::Specification.new do |spec|
6
+ spec.name = "redacting-logger"
7
+ spec.version = RedactingLogger::Version::VERSION
8
+ spec.authors = ["GitHub", "GitHub Security"]
9
+ spec.email = "opensource@github.com"
10
+ spec.license = "MIT"
11
+
12
+ spec.summary = "A redacting Ruby logger to prevent the leaking of secrets via logs"
13
+ spec.description = <<~SPEC_DESC
14
+ A redacting Ruby logger to prevent the leaking of secrets via logs
15
+ SPEC_DESC
16
+
17
+ spec.homepage = "https://github.com/github/redacting-logger"
18
+ spec.metadata = {
19
+ "source_code_uri" => "https://github.com/github/redacting-logger",
20
+ "documentation_uri" => "https://github.com/github/redacting-logger",
21
+ "bug_tracker_uri" => "https://github.com/github/redacting-logger/issues"
22
+ }
23
+
24
+ spec.add_dependency "logger", "~> 1.6"
25
+
26
+ spec.required_ruby_version = Gem::Requirement.new(">= 3.0.0")
27
+
28
+ spec.files = %w[LICENSE README.md redacting-logger.gemspec]
29
+ spec.files += Dir.glob("lib/**/*.rb")
30
+ spec.require_paths = ["lib"]
31
+ end
metadata ADDED
@@ -0,0 +1,68 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: redacting-logger
3
+ version: !ruby/object:Gem::Version
4
+ version: 1.0.0
5
+ platform: ruby
6
+ authors:
7
+ - GitHub
8
+ - GitHub Security
9
+ autorequire:
10
+ bindir: bin
11
+ cert_chain: []
12
+ date: 2023-11-22 00:00:00.000000000 Z
13
+ dependencies:
14
+ - !ruby/object:Gem::Dependency
15
+ name: logger
16
+ requirement: !ruby/object:Gem::Requirement
17
+ requirements:
18
+ - - "~>"
19
+ - !ruby/object:Gem::Version
20
+ version: '1.6'
21
+ type: :runtime
22
+ prerelease: false
23
+ version_requirements: !ruby/object:Gem::Requirement
24
+ requirements:
25
+ - - "~>"
26
+ - !ruby/object:Gem::Version
27
+ version: '1.6'
28
+ description: 'A redacting Ruby logger to prevent the leaking of secrets via logs
29
+
30
+ '
31
+ email: opensource@github.com
32
+ executables: []
33
+ extensions: []
34
+ extra_rdoc_files: []
35
+ files:
36
+ - LICENSE
37
+ - README.md
38
+ - lib/patterns/default.rb
39
+ - lib/redacting_logger.rb
40
+ - lib/version.rb
41
+ - redacting-logger.gemspec
42
+ homepage: https://github.com/github/redacting-logger
43
+ licenses:
44
+ - MIT
45
+ metadata:
46
+ source_code_uri: https://github.com/github/redacting-logger
47
+ documentation_uri: https://github.com/github/redacting-logger
48
+ bug_tracker_uri: https://github.com/github/redacting-logger/issues
49
+ post_install_message:
50
+ rdoc_options: []
51
+ require_paths:
52
+ - lib
53
+ required_ruby_version: !ruby/object:Gem::Requirement
54
+ requirements:
55
+ - - ">="
56
+ - !ruby/object:Gem::Version
57
+ version: 3.0.0
58
+ required_rubygems_version: !ruby/object:Gem::Requirement
59
+ requirements:
60
+ - - ">="
61
+ - !ruby/object:Gem::Version
62
+ version: '0'
63
+ requirements: []
64
+ rubygems_version: 3.4.10
65
+ signing_key:
66
+ specification_version: 4
67
+ summary: A redacting Ruby logger to prevent the leaking of secrets via logs
68
+ test_files: []