json-logify 0.1.2__tar.gz → 0.1.3__tar.gz

{json_logify-0.1.2 → json_logify-0.1.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: json-logify
-Version: 0.1.2
+Version: 0.1.3
 Summary: Universal structured logging with exact JSON schema for Python frameworks
 Author-email: Bakdoolot Kulbarakov <kulbarakovbh@gmail.com>
 Maintainer-email: Bakdoolot Kulbarakov <kulbarakovbh@gmail.com>

{json_logify-0.1.2 → json_logify-0.1.3}/json_logify.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: json-logify
-Version: 0.1.2
+Version: 0.1.3
 Summary: Universal structured logging with exact JSON schema for Python frameworks
 Author-email: Bakdoolot Kulbarakov <kulbarakovbh@gmail.com>
 Maintainer-email: Bakdoolot Kulbarakov <kulbarakovbh@gmail.com>

{json_logify-0.1.2 → json_logify-0.1.3}/json_logify.egg-info/SOURCES.txt

@@ -12,7 +12,9 @@ logify/django.py
 logify/fastapi.py
 logify/flask.py
 logify/version.py
+tests/test_config_logic.py
 tests/test_core.py
 tests/test_django.py
 tests/test_fastapi.py
-tests/test_flask.py
+tests/test_flask.py
+tests/test_security_masking.py

{json_logify-0.1.2 → json_logify-0.1.3}/logify/core.py

@@ -15,6 +15,62 @@ import structlog
 # Context variables for request tracking
 _request_context: ContextVar[Dict[str, Any]] = ContextVar("request_context", default={})
 
+# Internal configuration storage
+_config = {
+    "MAX_STRING_LENGTH": 100,
+    "SENSITIVE_FIELDS": {
+        "password",
+        "passwd",
+        "pass",
+        "pwd",
+        "secret",
+        "token",
+        "key",
+        "api_key",
+        "access_token",
+        "refresh_token",
+        "auth_token",
+        "session_key",
+        "private_key",
+        "credit_card",
+        "card_number",
+        "cvv",
+        "ssn",
+        "social_security_number",
+    },
+}
+
+
+def configure_core(sensitive_fields=None, replace_sensitive_defaults=False, max_string_length=None):
+    """
+    Configure core logging settings.
+
+    Args:
+        sensitive_fields: List or set of field names to mask
+        replace_sensitive_defaults: If True, replace default sensitive fields with provided ones.
+                                  If False, merge provided fields with defaults.
+        max_string_length: Maximum length for string truncation
+    """
+    if sensitive_fields is not None:
+        new_fields = set()
+        if isinstance(sensitive_fields, (list, tuple)):
+            new_fields = set(field.lower() for field in sensitive_fields)
+        elif isinstance(sensitive_fields, set):
+            new_fields = set(field.lower() for field in sensitive_fields)
+
+        if replace_sensitive_defaults:
+            _config["SENSITIVE_FIELDS"] = new_fields
+        else:
+            _config["SENSITIVE_FIELDS"].update(new_fields)
+
+    if max_string_length is not None:
+        _config["MAX_STRING_LENGTH"] = max_string_length
+
+
+def get_config_value(key: str, default=None):
+    """Get a value from core configuration."""
+    return _config.get(key, default)
+
 
 def orjson_serializer(_, __, event_dict):
     """Serialize log entries using orjson for performance."""
@@ -23,15 +79,7 @@ def orjson_serializer(_, __, event_dict):
 
 def truncate_long_strings(_, __, event_dict):
     """Truncate long strings in log entries based on max_string_length setting."""
-    # Get max length from global settings only
-    max_length = 100
-    try:
-        from .django import _get_setting
-
-        max_length = _get_setting("LOGIFY_MAX_STRING_LENGTH", 100)
-    except ImportError:
-        # Use default if django module not available
-        pass
+    max_length = _config["MAX_STRING_LENGTH"]
 
     # Truncate long strings - only if max_length is positive
     if max_length > 0:
@@ -44,14 +92,7 @@ def truncate_long_strings(_, __, event_dict):
 
 def clean_non_serializable_objects(_, __, event_dict):
     """Clean non-serializable objects from log entries."""
-    # Get settings for string length limits
-    max_length = 100
-    try:
-        from .django import _get_setting
-
-        max_length = _get_setting("LOGIFY_MAX_STRING_LENGTH", 100)
-    except ImportError:
-        pass
+    max_length = _config["MAX_STRING_LENGTH"]
 
     cleaned = {}
     for key, value in event_dict.items():
@@ -75,63 +116,78 @@ def clean_non_serializable_objects(_, __, event_dict):
 
 def mask_sensitive_fields(_, __, event_dict):
     """Mask sensitive fields in log entries recursively."""
-    # Default sensitive fields
-    default_sensitive = [
-        "password",
-        "passwd",
-        "pass",
-        "pwd",
-        "secret",
-        "token",
-        "key",
-        "api_key",
-        "access_token",
-        "refresh_token",
-        "auth_token",
-        "session_key",
-        "private_key",
-        "credit_card",
-        "card_number",
-        "cvv",
-        "ssn",
-        "social_security_number",
-    ]
-
-    # Get sensitive fields from global settings only
-    sensitive_fields = default_sensitive
-    try:
-        from .django import _get_setting
+    sensitive_fields = _config["SENSITIVE_FIELDS"]
+
+    def _mask_value_if_sensitive(key, value):
+        """Check if key is sensitive and return masked value if so."""
+        key_lower = key.lower()
+        if any(s in key_lower for s in sensitive_fields):
+            if value and str(value).strip():
+                return "***"
+        return value
+
+    def _scrub_string(text):
+        """Scrub sensitive data from strings (e.g. url encoded bodies, query strings)."""
+        if not text:
+            return text
+
+        # Handle URLs with query parameters
+        if "?" in text:
+            base, query = text.split("?", 1)
+            # Recursively scrub the query part
+            scrubbed_query = _scrub_string(query)
+            return f"{base}?{scrubbed_query}"
+
+        # pattern matching for key=value pairs where key is sensitive
+        # We do a simple approach: split by & and =
+        if "=" in text:
+            # Check if this looks like a query string or form data
+            # This is a heuristic
+            parts = text.split("&")
+            new_parts = []
+            modified = False
+
+            for part in parts:
+                if "=" in part:
+                    k, v = part.split("=", 1)
+                    # Check if key is sensitive
+                    k_lower = k.lower()
+                    if any(s in k_lower for s in sensitive_fields):
+                        new_parts.append(f"{k}=***")
+                        modified = True
+                    else:
+                        new_parts.append(part)
+                else:
+                    new_parts.append(part)
 
-        sensitive_fields = _get_setting("LOGIFY_SENSITIVE_FIELDS", default_sensitive)
-    except ImportError:
-        # Use defaults if django module not available
-        pass
+            if modified:
+                return "&".join(new_parts)
 
-    # Convert to set of lowercase strings
-    if isinstance(sensitive_fields, (list, tuple)):
-        sensitive_fields = set(field.lower() for field in sensitive_fields)
-    elif isinstance(sensitive_fields, set):
-        sensitive_fields = set(field.lower() for field in sensitive_fields)
-    else:
-        sensitive_fields = set(field.lower() for field in default_sensitive)
+        return text
 
     def _mask_recursive(obj):
         """Recursively mask sensitive fields in dicts and lists."""
         if isinstance(obj, dict):
             masked = {}
             for k, v in obj.items():
-                key_lower = k.lower()
-                # Check if key contains any sensitive substring
-                if any(s in key_lower for s in sensitive_fields):
-                    if v and str(v).strip():
-                        masked[k] = "***"
-                    else:
-                        masked[k] = v
-                else:
+                # First check if the key itself is sensitive
+                v_masked = _mask_value_if_sensitive(k, v)
+                if v_masked == "***":
+                    masked[k] = "***"
+                    continue
+
+                # If not masked by key, recurse or string scrub
+                if isinstance(v, (dict, list)):
                     masked[k] = _mask_recursive(v)
+                elif isinstance(v, str):
+                    masked[k] = _scrub_string(v)
+                else:
+                    masked[k] = v
             return masked
         elif isinstance(obj, list):
             return [_mask_recursive(item) for item in obj]
+        elif isinstance(obj, str):
+            return _scrub_string(obj)
         return obj
 
     # Apply masking to the entire event_dict (including top-level keys)
@@ -259,10 +315,23 @@ def get_logger(name: str = "json-logify"):
     return bound_logger
 
 
-def configure_logging(service_name: str = "app", level: str = "INFO"):
+def configure_logging(
+    service_name: str = "app",
+    level: str = "INFO",
+    sensitive_fields=None,
+    replace_sensitive_defaults=False,
+    max_string_length=None,
+):
     """Configure logging for the application."""
     import logging
 
+    # Configure core settings
+    configure_core(
+        sensitive_fields=sensitive_fields,
+        replace_sensitive_defaults=replace_sensitive_defaults,
+        max_string_length=max_string_length,
+    )
+
     # Set logging level on stdlib logger
     logging.basicConfig(level=getattr(logging, level.upper(), logging.INFO))
 

{json_logify-0.1.2 → json_logify-0.1.3}/logify/django.py

@@ -6,21 +6,43 @@ import logging
 
 import structlog
 
-from .core import clear_request_context, configure_logging, generate_request_id, set_request_context
-
-# Global settings storage for when Django settings are not available
-_global_settings = {}
-
-
-def _set_global_setting(key: str, value):
-    """Set a global setting value."""
-    _global_settings[key] = value
-
-
-def _get_setting(key: str, default=None):
-    """Get setting value from global settings only."""
-    # Return value from global settings (set by get_logging_config parameters)
-    return _global_settings.get(key, default)
+from .core import clear_request_context, configure_core
+from .core import configure_logging as configure_core_logging
+from .core import generate_request_id, get_config_value, info, set_request_context
+
+# Django-specific settings storage
+_django_settings = {
+    "SERVICE_NAME": "django",
+    "IGNORE_PATHS": ["/health/", "/healthz/", "/api/schema/", "/static/", "/favicon.ico", "/robots.txt"],
+    "EXCLUDED_FIELDS": {
+        "name",
+        "msg",
+        "args",
+        "levelname",
+        "levelno",
+        "pathname",
+        "filename",
+        "module",
+        "lineno",
+        "funcName",
+        "created",
+        "msecs",
+        "relativeCreated",
+        "thread",
+        "threadName",
+        "processName",
+        "process",
+        "message",
+        "exc_info",
+        "exc_text",
+        "stack_info",
+        "getMessage",
+        "request",
+        "response",
+        "server_time",
+        "status_code",
+    },
+}
 
 
 def get_logging_config(
@@ -29,6 +51,7 @@ def get_logging_config(
     json_logs: bool = True,
     excluded_fields: list = None,
     sensitive_fields: list = None,
+    replace_sensitive_defaults: bool = False,
     max_string_length: int = None,
     ignore_paths: list = None,
 ):
@@ -41,6 +64,7 @@ def get_logging_config(
         json_logs: Whether to enable JSON logging
         excluded_fields: List of fields to exclude from logs
         sensitive_fields: List of fields to mask with *** (also used for sensitive headers)
+        replace_sensitive_defaults: If True, replace default sensitive fields. If False, merge.
         max_string_length: Maximum length for string truncation
         ignore_paths: List of URL paths to ignore from logging
 
@@ -51,23 +75,31 @@ def get_logging_config(
             level="INFO",
             excluded_fields=["custom_field"],
             sensitive_fields=["password", "secret", "authorization"],
+            replace_sensitive_defaults=False, # Optional, defaults to False (merge)
             max_string_length=200,
             ignore_paths=["/health/", "/static/"]
         )
     """
+    # Configure core settings (this sets global state in core module)
+    configure_core(
+        sensitive_fields=sensitive_fields,
+        replace_sensitive_defaults=replace_sensitive_defaults,
+        max_string_length=max_string_length,
+    )
+
     if json_logs:
-        configure_logging(service_name=service_name, level=level)
+        # This sets up the structlog pipeline
+        configure_core_logging(service_name=service_name, level=level)
+
+    # Store Django-specific settings
+    _django_settings["SERVICE_NAME"] = service_name
 
-    # Store settings globally for the processors to use
-    _set_global_setting("SERVICE_NAME", service_name)
     if excluded_fields is not None:
-        _set_global_setting("LOGIFY_EXCLUDED_FIELDS", excluded_fields)
-    if sensitive_fields is not None:
-        _set_global_setting("LOGIFY_SENSITIVE_FIELDS", sensitive_fields)
-    if max_string_length is not None:
-        _set_global_setting("LOGIFY_MAX_STRING_LENGTH", max_string_length)
+        default_excluded = _django_settings["EXCLUDED_FIELDS"]
+        _django_settings["EXCLUDED_FIELDS"] = set(default_excluded) | set(excluded_fields)
+
     if ignore_paths is not None:
-        _set_global_setting("LOGIFY_IGNORE_PATHS", ignore_paths)
+        _django_settings["IGNORE_PATHS"] = ignore_paths
 
     return {
         "version": 1,
@@ -116,15 +148,12 @@ class LogifyMiddleware:
         if self._should_ignore_path(request.path):
             return self.get_response(request)
 
-        # Import here to avoid circular imports
-        from .core import info
-
         # Generate request ID and set context
         request_id = generate_request_id()
         request.logify_request_id = request_id
 
-        # Get service name from global settings or use default
-        service_name = _get_setting("SERVICE_NAME", "django-app")
+        # Get service name
+        service_name = _django_settings.get("SERVICE_NAME", "django-app")
 
         # Get user info
         user_info = self._get_user_info(request)
@@ -132,7 +161,7 @@ class LogifyMiddleware:
         # Get and scrub headers
         scrubbed_headers = self._scrub_headers(dict(request.headers))
 
-        # Get request body (no scrubbing - core processors will handle)
+        # Get request body (no scrubbing needed here - core processors will handle masking)
         request_body = self._get_request_body(request)
 
         # Log request start with all context information ONCE
@@ -154,7 +183,7 @@ class LogifyMiddleware:
         try:
             response = self.get_response(request)
 
-            # Get response body with content type filtering (no scrubbing)
+            # Get response body with content type filtering
             response_body = self._get_response_body(response)
 
             # Log request completion with response info
@@ -173,13 +202,7 @@ class LogifyMiddleware:
 
     def _should_ignore_path(self, path):
         """Check if path should be ignored from logging."""
-        # Get ignore paths from global settings
-        default_ignore_paths = ["/health/", "/healthz/", "/api/schema/", "/static/", "/favicon.ico", "/robots.txt"]
-
-        try:
-            ignore_paths = _get_setting("LOGIFY_IGNORE_PATHS", default_ignore_paths)
-        except Exception:
-            ignore_paths = default_ignore_paths
+        ignore_paths = _django_settings.get("IGNORE_PATHS", [])
 
         if isinstance(ignore_paths, (list, tuple)):
             for ignore_path in ignore_paths:
@@ -195,37 +218,13 @@ class LogifyMiddleware:
 
     def _scrub_headers(self, headers):
         """Mask sensitive headers using sensitive_fields settings."""
-        # Get sensitive fields which will be used for headers too
-        default_sensitive = [
-            "password",
-            "passwd",
-            "pass",
-            "pwd",
-            "secret",
-            "token",
-            "key",
-            "api_key",
-            "access_token",
-            "refresh_token",
-            "auth_token",
-            "session_key",
-            "private_key",
-            "authorization",
-            "cookie",
-            "x-api-key",
-            "x-auth-token",
-            "x-csrf-token",
-        ]
-
-        try:
-            sensitive_fields = _get_setting("LOGIFY_SENSITIVE_FIELDS", default_sensitive)
-        except Exception:
-            sensitive_fields = default_sensitive
+        # Get sensitive fields from core config
+        sensitive_fields = get_config_value("SENSITIVE_FIELDS")
 
-        if isinstance(sensitive_fields, (list, tuple)):
-            sensitive_fields = set(field.lower() for field in sensitive_fields)
-        else:
-            sensitive_fields = set(field.lower() for field in default_sensitive)
+        # We need to manually scrub here because headers are a dict we are constructing to pass to log
+        # And we want to label filtered headers specifically as [FILTERED] sometimes, or just use core logic.
+        # But core logic turns things into "***".
+        # Let's align with core logic.
 
         scrubbed = {}
         for key, value in headers.items():
@@ -238,7 +237,7 @@ class LogifyMiddleware:
         return scrubbed
 
     def _get_request_body(self, request):
-        """Get request body with size limits (no scrubbing - core processors will handle)."""
+        """Get request body with size limits."""
         if not request.body:
             return None
 
@@ -249,27 +248,32 @@ class LogifyMiddleware:
             if request.content_type and "json" in request.content_type:
                 import json
 
-                request_body = json.loads(body_bytes.decode("utf-8"))
-                return request_body
-            else:
-                # For non-JSON data, try to parse as form data
-                if request.method in ["POST", "PUT", "PATCH"]:
-                    try:
-                        # Try form data first
-                        form_data = dict(request.POST)
-                        if form_data:
-                            return form_data
-                    except Exception:
-                        pass
-
-                # Fall back to raw string (truncated)
-                return body_bytes.decode("utf-8", errors="replace")[:1000]
+                try:
+                    request_body = json.loads(body_bytes.decode("utf-8"))
+                    return request_body
+                except Exception:
+                    # Fallback if JSON parse fails
+                    pass
+
+            # For non-JSON data, try to parse as form data
+            if request.method in ["POST", "PUT", "PATCH"]:
+                try:
+                    # Try form data first
+                    form_data = dict(request.POST)
+                    if form_data:
+                        return form_data
+                except Exception:
+                    pass
+
+            # Fall back to raw string (truncated)
+            # The CORE processor will mask sensitive data in this string!
+            return body_bytes.decode("utf-8", errors="replace")[:1000]
 
         except Exception:
             return "<non-readable body>"
 
     def _get_response_body(self, response):
-        """Get response body with content type filtering (no scrubbing - core processors will handle)."""
+        """Get response body with content type filtering."""
         if not hasattr(response, "content") or not response.content:
             return None
 
@@ -298,11 +302,14 @@ class LogifyMiddleware:
             if "json" in content_type:
                 import json
 
-                response_body = json.loads(body_bytes.decode("utf-8"))
-                return response_body
-            else:
-                # For non-JSON responses, return truncated text
-                return body_bytes.decode("utf-8", errors="replace")[:1000]
+                try:
+                    response_body = json.loads(body_bytes.decode("utf-8"))
+                    return response_body
+                except Exception:
+                    pass
+
+            # For non-JSON responses, return truncated text
+            return body_bytes.decode("utf-8", errors="replace")[:1000]
 
         except Exception:
             return "<non-readable body>"
@@ -314,7 +321,7 @@ def setup_django_logging(service_name: str = "django"):
     Call this in your Django settings or apps.py
     """
     # Configure json-logify structlog
-    configure_logging(service_name=service_name)
+    configure_core_logging(service_name=service_name)
 
     # Configure structlog to intercept standard logging
     structlog.configure(
@@ -349,85 +356,19 @@ class StructlogHandler(logging.Handler):
         structlog_method = getattr(self.structlog_logger, level_name, self.structlog_logger.info)
 
         # Get excluded fields from settings
-        default_excluded = [
-            "name",
-            "msg",
-            "args",
-            "levelname",
-            "levelno",
-            "pathname",
-            "filename",
-            "module",
-            "lineno",
-            "funcName",
-            "created",
-            "msecs",
-            "relativeCreated",
-            "thread",
-            "threadName",
-            "processName",
-            "process",
-            "message",
-            "exc_info",
-            "exc_text",
-            "stack_info",
-            "getMessage",
-            # Add Django-specific problematic fields
-            "request",
-            "response",
-            "server_time",
-            "status_code",
-        ]
-
-        excluded_fields = _get_setting("LOGIFY_EXCLUDED_FIELDS", default_excluded)
-        if isinstance(excluded_fields, (list, tuple)):
-            excluded_fields = set(excluded_fields)
-        elif not isinstance(excluded_fields, set):
-            excluded_fields = set(default_excluded)
-
-        # Get sensitive fields from settings
-        default_sensitive = [
-            "password",
-            "passwd",
-            "pass",
-            "pwd",
-            "secret",
-            "token",
-            "key",
-            "api_key",
-            "access_token",
-            "refresh_token",
-            "auth_token",
-            "session_key",
-            "private_key",
-            "credit_card",
-            "card_number",
-            "cvv",
-            "ssn",
-            "social_security_number",
-        ]
-        sensitive_fields = _get_setting("LOGIFY_SENSITIVE_FIELDS", default_sensitive)
-        if isinstance(sensitive_fields, (list, tuple)):
-            sensitive_fields = set(field.lower() for field in sensitive_fields)
-        elif not isinstance(sensitive_fields, set):
-            sensitive_fields = set(field.lower() for field in default_sensitive)
+        excluded_fields = _django_settings.get("EXCLUDED_FIELDS", set())
 
-        # Extract extra fields, excluding specified fields and masking sensitive ones
+        # Extract extra fields, excluding specified fields
+        # Note: We rely on core processors to mask sensitive data!
         extra = {}
         for key, value in record.__dict__.items():
             if key not in excluded_fields:
                 # Skip complex objects that can't be JSON serialized
+                # Core has a cleaner which handles this too, but we can filtering here for safety
                 if hasattr(value, "__dict__") and not isinstance(value, (str, int, float, bool, list, dict)):
                     continue
 
-                # Mask sensitive fields
-                if key.lower() in sensitive_fields:
-                    if value and str(value).strip():
-                        extra[key] = "***"
-                    else:
-                        extra[key] = value
-                else:
-                    extra[key] = value
+                extra[key] = value
 
         # Log with structlog
         structlog_method(

{json_logify-0.1.2 → json_logify-0.1.3}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "json-logify"
-version = "0.1.2"
+version = "0.1.3"
 description = "Universal structured logging with exact JSON schema for Python frameworks"
 readme = "README.md"
 license = {file = "LICENSE"}

json_logify-0.1.3/tests/test_config_logic.py

@@ -0,0 +1,54 @@
+"""Tests for configuration logic."""
+
+from logify.core import configure_core, get_config_value
+
+
+class TestConfigurationLogic:
+    """Test configuration logic including merge and replace strategies."""
+
+    def setup_method(self):
+        """Reset configuration before each test."""
+        # Reset to known state.
+        # Note: We can't easily "reset" global state perfectly without private access,
+        # but we can set it to a known state using replace_sensitive_defaults=True.
+        configure_core(sensitive_fields=["password", "token"], replace_sensitive_defaults=True, max_string_length=100)
+
+    def test_default_merge_behavior(self):
+        """Test that sensitive fields are merged by default."""
+        # Setup initial state
+        configure_core(sensitive_fields=["initial"], replace_sensitive_defaults=True)
+        assert "initial" in get_config_value("SENSITIVE_FIELDS")
+
+        # Test merge (default)
+        configure_core(sensitive_fields=["new_field"])
+
+        fields = get_config_value("SENSITIVE_FIELDS")
+        assert "initial" in fields
+        assert "new_field" in fields
+        assert len(fields) >= 2
+
+    def test_explicit_replace_behavior(self):
+        """Test that sensitive fields are replaced when requested."""
+        # Setup initial state
+        configure_core(sensitive_fields=["initial"], replace_sensitive_defaults=True)
+
+        # Test replace
+        configure_core(sensitive_fields=["replaced"], replace_sensitive_defaults=True)
+
+        fields = get_config_value("SENSITIVE_FIELDS")
+        assert "initial" not in fields
+        assert "replaced" in fields
+        assert len(fields) == 1
+
+    def test_max_string_length_update(self):
+        """Test max string length update."""
+        configure_core(max_string_length=500)
+        assert get_config_value("MAX_STRING_LENGTH") == 500
+
+        configure_core(max_string_length=10)
+        assert get_config_value("MAX_STRING_LENGTH") == 10
+
+    def test_clearing_fields_with_replace(self):
+        """Test clearing all sensitive fields."""
+        configure_core(sensitive_fields=[], replace_sensitive_defaults=True)
+        assert len(get_config_value("SENSITIVE_FIELDS")) == 0

{json_logify-0.1.2 → json_logify-0.1.3}/tests/test_django.py

@@ -208,6 +208,63 @@ class TestLogifyMiddleware:
         response = middleware(request)
         assert response.status_code == 200
 
+    @patch("sys.stdout", new_callable=StringIO)
+    def test_sensitive_body_masking_integration(self, mock_stdout):
+        """
+        REGRESSION TEST: Verify that raw request bodies with sensitive data are masked.
+        This ensures the vulnerability (leaking passwords in raw bodies) is fixed.
+        """
+        from logify.core import configure_logging
+
+        # Reset defaults explicitly to avoid pollution from other tests
+        configure_logging(
+            "test-django", "INFO", sensitive_fields=["password", "token", "secret"], replace_sensitive_defaults=True
+        )
+
+        def mock_get_response(request):
+            return MockDjangoResponse()
+
+        middleware = LogifyMiddleware(mock_get_response)
+
+        # Create a request with a raw body that looks like form data but isn't parsed as such
+        # (e.g. invalid content type or just raw bytes read)
+        sensitive_content = "username=admin&password=supersecretpassword&token=12345"
+
+        request = MockDjangoRequest(method="POST", path="/login")
+        request.body = sensitive_content.encode("utf-8")
+        request.content_type = "application/x-www-form-urlencoded"  # Logic tries to parse this
+
+        # We need to simulate the case where parse fails OR just standard body logging
+        # The middleware `_get_request_body` tries to parse form data if it can.
+        # If we want to test the FALLBACK (raw string scrubbing), we should ensure form parsing fails
+        # OR we just rely on the fact that `request.POST` might be empty in this mock if we don't set it.
+        # MockDjangoRequest sets self.POST = {}, so parsing returns empty, logic falls back to raw body?
+        # Let's check `django.py`:
+        # if method in POST/PUT...: try: form_data = dict(request.POST); if form_data: return form_data
+        # If request.POST is empty, it falls back to: body_bytes.decode()[:1000]
+        # Perfect.
+
+        middleware(request)
+
+        output = mock_stdout.getvalue().strip()
+
+        # Find the log entry with request_body
+        lines = output.splitlines()
+        log_entry = None
+        for line in lines:
+            if "request_body" in line:
+                log_entry = json.loads(line)
+                break
+
+        assert log_entry is not None, "Did not find log with request_body"
+
+        body_log = log_entry["payload"].get("request_body")
+        assert isinstance(body_log, str), "Body should be logged as string when parsing fails"
+
+        # THE CORE ASSERTION:
+        assert "password=***" in body_log, "Password should be masked in raw body log"
+        assert "supersecretpassword" not in body_log, "vulnerability: Plaintext password leaked!"
+
 
 class TestDjangoIntegration:
     """Test Django integration scenarios."""

json_logify-0.1.3/tests/test_security_masking.py

@@ -0,0 +1,86 @@
+"""Tests for security masking logic."""
+
+
+from logify.core import configure_core, mask_sensitive_fields
+
+
+class TestSecurityMasking:
+    """Test security masking including raw string scrubbing."""
+
+    def setup_method(self):
+        """Set up sensitive fields."""
+        configure_core(sensitive_fields=["password", "token", "secret", "key"], replace_sensitive_defaults=True)
+
+    def test_recursive_dict_masking(self):
+        """Test standard recursive dictionary masking."""
+        event = {
+            "user": "baha",
+            "password": "supersecret",
+            "nested": {"token": "12345", "safe": "data"},
+            "list": [{"key": "private_key", "value": "check"}],
+        }
+
+        masked = mask_sensitive_fields(None, None, event)
+
+        assert masked["password"] == "***"
+        assert masked["nested"]["token"] == "***"
+        assert masked["nested"]["safe"] == "data"
+        assert masked["list"][0]["key"] == "***"
+
+    def test_raw_string_scrubbing_basic(self):
+        """Test scrubbing of raw strings with key=value patterns."""
+        event = {"body": "username=admin&password=secret123&other=value"}
+
+        masked = mask_sensitive_fields(None, None, event)
+
+        assert "password=***" in masked["body"]
+        assert "secret123" not in masked["body"]
+        assert "username=admin" in masked["body"]
+
+    def test_raw_string_scrubbing_multiple(self):
+        """Test scrubbing multiple sensitive fields in one string."""
+        event = {"data": "api_key=12345&secret=ABCDE&public=yes"}
+        # Note: api_key is not in our setup list above, let's add it to be safe or rely on substring match
+        # Wait, 'key' is in the list. 'api_key' contains 'key'.
+
+        masked = mask_sensitive_fields(None, None, event)
+
+        assert "api_key=***" in masked["data"]
+        assert "secret=***" in masked["data"]
+        assert "12345" not in masked["data"]
+        assert "ABCDE" not in masked["data"]
+
+    def test_raw_string_edge_cases(self):
+        """Test edge cases for string scrubbing."""
+        # Empty value
+        event = {"empty": "password="}
+        masked = mask_sensitive_fields(None, None, event)
+        # Should simple remain password= or password=***?
+        # Logic says: parts.split("=", 1).
+        # We assume value is empty string.
+        # Logic: if any(s in k_lower): new_parts.append(f"{k}=***")
+        # So even empty password gets masked to ***. This is acceptable/safer.
+        assert masked["empty"] == "password=***"
+
+        # No sensitive data
+        event = {"safe": "user=admin&role=editor"}
+        masked = mask_sensitive_fields(None, None, event)
+        assert masked["safe"] == "user=admin&role=editor"
+
+        # Malformed but suspicious
+        event = {"weird": "password=secret=token"}
+        # split by &, then each by =.
+        # Here only one part? "password=secret=token"
+        # k="password", v="secret=token".
+        # Should become "password=***".
+        masked = mask_sensitive_fields(None, None, event)
+        assert masked["weird"] == "password=***"
+
+    def test_scrubbing_inside_lists(self):
+        """Test scrubbing strings inside lists."""
+        event = {"history": ["path=/login?password=secret", "normal_string"]}
+
+        masked = mask_sensitive_fields(None, None, event)
+
+        assert "password=***" in masked["history"][0]
+        assert "secret" not in masked["history"][0]