npm - @crowdin/app-project-module - Versions diffs - 1.14.0 → 1.15.0 - Mend

@crowdin/app-project-module 1.14.0 → 1.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/out/index.js +2 -0
package/out/static/ui/form.bundle.js +219 -46
package/out/static/ui/form.bundle.js.map +1 -1
package/out/util/log-sanitizer.d.ts +18 -0
package/out/util/log-sanitizer.js +169 -0
package/package.json +2 -2

package/out/util/log-sanitizer.d.ts ADDED Viewed

@@ -0,0 +1,18 @@
+/**
+ * Masks JWTs, bearer tokens, passwords, API keys, and other secrets in log records
+ * before they leave the process (stdout / Sentry). Registered with @crowdin/logs-formatter
+ * at SDK bootstrap so every Crowdin app built on this SDK benefits without per-app changes.
+ *
+ * NOTE: a separate field-value masker lives at src/util/credentials-masker.ts (maskKey) —
+ * it masks ALL but last 3 chars with '*', operates on form-data fields, and is wired into
+ * request/response middleware. The two are intentionally distinct: this sanitizer uses
+ * "first 4 chars + ***" on log records, and the field masker uses "***...XYZ" on form
+ * payloads. Do not mix them.
+ */
+import type { LogRecord, Sanitizer } from '@crowdin/logs-formatter';
+export type { LogRecord, Sanitizer };
+export declare const MASK_PLACEHOLDER = "***";
+export declare function maskString(input: string): string;
+export declare function maskUrl(url: string): string;
+export declare function sanitizeValue(value: unknown): unknown;
+export declare function crowdinLogSanitizer(record: LogRecord): LogRecord;

package/out/util/log-sanitizer.js ADDED Viewed

@@ -0,0 +1,169 @@
+"use strict";
+/**
+ * Masks JWTs, bearer tokens, passwords, API keys, and other secrets in log records
+ * before they leave the process (stdout / Sentry). Registered with @crowdin/logs-formatter
+ * at SDK bootstrap so every Crowdin app built on this SDK benefits without per-app changes.
+ *
+ * NOTE: a separate field-value masker lives at src/util/credentials-masker.ts (maskKey) —
+ * it masks ALL but last 3 chars with '*', operates on form-data fields, and is wired into
+ * request/response middleware. The two are intentionally distinct: this sanitizer uses
+ * "first 4 chars + ***" on log records, and the field masker uses "***...XYZ" on form
+ * payloads. Do not mix them.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MASK_PLACEHOLDER = void 0;
+exports.maskString = maskString;
+exports.maskUrl = maskUrl;
+exports.sanitizeValue = sanitizeValue;
+exports.crowdinLogSanitizer = crowdinLogSanitizer;
+const SENSITIVE_KEY_REGEX = /^(jwt|jwt[_-]?token|token|access[_-]?token|refresh[_-]?token|api[_-]?key|secret|client[_-]?secret|password|passwd|pwd|authorization|cookie|set-cookie|x-api-key)$/i;
+const JWT_REGEX = /eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/g;
+const BEARER_REGEX = /Bearer\s+[A-Za-z0-9._\-+/=]+/gi;
+const URL_USERINFO_REGEX = /(\b[a-z][a-z0-9+.-]*:\/\/)([^@\s/]+):([^@\s]+)@/gi;
+// Matches util.inspect-style "<sensitiveKey>: '<value>'" with single/double/backtick quotes,
+// honoring backslash escapes inside the value (e.g. \' or \" or \\).
+const INSPECTED_FIELD_REGEX = /\b(jwt(?:[_-]?token)?|token|access[_-]?token|refresh[_-]?token|api[_-]?key|secret|client[_-]?secret|password|passwd|pwd|authorization|cookie|set-cookie|x-api-key)\s*:\s*(['"`])((?:\\\2|(?!\2).)*)\2/gi;
+// Sanitizer runs on every log call; skip the regex passes when no candidate token is present.
+const SANITIZE_HINT_REGEX = /eyJ|bearer|:\/\/|password|passwd|pwd|cookie|token|api[_-]?key|secret|authorization|jwt/i;
+const MAX_DEPTH = 10;
+exports.MASK_PLACEHOLDER = '***';
+function maskPrefix4(value) {
+    return value.length <= 4 ? exports.MASK_PLACEHOLDER : value.slice(0, 4) + exports.MASK_PLACEHOLDER;
+}
+function maskInspectedFields(input) {
+    return input.replace(INSPECTED_FIELD_REGEX, (_, key, quote, value) => {
+        const unescaped = value.replace(/\\(.)/g, '$1');
+        return `${key}: ${quote}${maskPrefix4(unescaped)}${quote}`;
+    });
+}
+function maskString(input) {
+    if (typeof input !== 'string' || input.length === 0) {
+        return input;
+    }
+    if (!SANITIZE_HINT_REGEX.test(input)) {
+        return input;
+    }
+    return maskInspectedFields(input)
+        .replace(JWT_REGEX, maskPrefix4)
+        .replace(BEARER_REGEX, `Bearer ${exports.MASK_PLACEHOLDER}`)
+        .replace(URL_USERINFO_REGEX, (_, scheme, user) => `${scheme}${user}:${exports.MASK_PLACEHOLDER}@`);
+}
+function maskValueAsKey(value) {
+    return typeof value === 'string' ? maskPrefix4(value) : exports.MASK_PLACEHOLDER;
+}
+function maskUrl(url) {
+    if (typeof url !== 'string') {
+        return url;
+    }
+    const queryIndex = url.indexOf('?');
+    if (queryIndex === -1) {
+        return maskString(url);
+    }
+    const head = url.slice(0, queryIndex);
+    const tail = url.slice(queryIndex + 1);
+    const [queryPart, ...fragmentParts] = tail.split('#');
+    const fragment = fragmentParts.length ? '#' + fragmentParts.join('#') : '';
+    const maskedQuery = queryPart
+        .split('&')
+        .map((pair) => {
+        const eq = pair.indexOf('=');
+        if (eq === -1) {
+            return pair;
+        }
+        const key = pair.slice(0, eq);
+        const value = pair.slice(eq + 1);
+        const decodedKey = safeDecode(key);
+        if (SENSITIVE_KEY_REGEX.test(decodedKey)) {
+            return `${key}=${maskValueAsKey(safeDecode(value))}`;
+        }
+        return `${key}=${maskString(value)}`;
+    })
+        .join('&');
+    return `${maskString(head)}?${maskedQuery}${fragment}`;
+}
+function safeDecode(value) {
+    try {
+        return decodeURIComponent(value);
+    }
+    catch (_a) {
+        return value;
+    }
+}
+function sanitizeValue(value) {
+    return sanitizeValueImpl(value, 0, new WeakSet());
+}
+const HANDLED_ERROR_KEYS = new Set(['name', 'message', 'stack']);
+function sanitizeValueImpl(value, depth, seen) {
+    if (value === null || value === undefined) {
+        return value;
+    }
+    if (depth > MAX_DEPTH) {
+        return '[Truncated: max depth]';
+    }
+    if (typeof value === 'string') {
+        return maskString(value);
+    }
+    if (typeof value !== 'object') {
+        return value;
+    }
+    if (seen.has(value)) {
+        return '[Circular]';
+    }
+    seen.add(value);
+    if (Array.isArray(value)) {
+        return value.map((item) => sanitizeValueImpl(item, depth + 1, seen));
+    }
+    if (value instanceof Error) {
+        const out = {
+            name: value.name,
+            message: maskString(value.message),
+        };
+        if (value.stack) {
+            out.stack = maskString(value.stack);
+        }
+        for (const key of Object.keys(value)) {
+            if (HANDLED_ERROR_KEYS.has(key)) {
+                continue;
+            }
+            out[key] = sanitizeField(key, value[key], depth, seen);
+        }
+        return out;
+    }
+    const out = {};
+    for (const [key, v] of Object.entries(value)) {
+        out[key] = sanitizeField(key, v, depth, seen);
+    }
+    return out;
+}
+function sanitizeField(key, value, depth, seen) {
+    if (SENSITIVE_KEY_REGEX.test(key)) {
+        return maskValueAsKey(value);
+    }
+    if ((key === 'url' || key === 'originalUrl' || key === 'href') && typeof value === 'string') {
+        return maskUrl(value);
+    }
+    return sanitizeValueImpl(value, depth + 1, seen);
+}
+// Returns a new LogRecord — never mutates the input. Falls back to the original record
+// on any throw so a sanitizer bug can't bring down the logging pipeline. (logs-formatter
+// also catches throws at the pipeline level; this inner guard is defense in depth.)
+// Typed with concrete LogRecord return (not Sanitizer's broader `LogRecord | void`) so
+// callers and tests get a non-nullable result; still assignable to Sanitizer.
+function crowdinLogSanitizer(record) {
+    try {
+        return {
+            level: record.level,
+            message: typeof record.message === 'string' ? maskString(record.message) : record.message,
+            rawParams: Array.isArray(record.rawParams)
+                ? record.rawParams.map((p) => sanitizeValue(p))
+                : record.rawParams,
+            context: sanitizeValue(record.context),
+            record: record.record && typeof record.record === 'object'
+                ? sanitizeValue(record.record)
+                : record.record,
+        };
+    }
+    catch (_a) {
+        return record;
+    }
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@crowdin/app-project-module",
-  "version": "1.14.0",
+  "version": "1.15.0",
   "description": "Module that generates for you all common endpoints for serving standalone Crowdin App",
   "main": "out/index.js",
   "types": "out/index.d.ts",
@@ -62,7 +62,7 @@
   ],
   "dependencies": {
     "@crowdin/crowdin-api-client": "^1.55.0",
-    "@crowdin/logs-formatter": "^2.2.0",
+    "@crowdin/logs-formatter": "^2.3.0",
     "@godaddy/terminus": "^4.12.1",
     "ajv": "^8.17.1",
     "amqplib": "^0.10.9",