fix: sanitize output logger of sdk key (#467)

statsig-io · Jul 5, 2024 · da036be · da036be
1 parent a29fa27
commit da036be
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 8 deletions.
diff --git a/src/OutputLogger.ts b/src/OutputLogger.ts
@@ -2,6 +2,7 @@
 import { LoggerInterface } from './StatsigOptions';
 
 let _logger: LoggerInterface = { ...console, logLevel: 'warn' };
+let _sdkKey: string | null = null;
 
 export default abstract class OutputLogger {
   static getLogger(): LoggerInterface {
@@ -10,7 +11,8 @@ export default abstract class OutputLogger {
 
   static debug(message?: any, ...optionalParams: any[]) {
     if (_logger.logLevel !== 'none') {
-      _logger.debug && _logger.debug(message, ...optionalParams);
+      const sanitizedMessage = this.sanitizeError(message);
+      _logger.debug && _logger.debug(sanitizedMessage, ...optionalParams);
     }
   }
 
@@ -20,27 +22,47 @@ export default abstract class OutputLogger {
       _logger.logLevel === 'warn' ||
       _logger.logLevel === 'error'
     ) {
-      _logger.info && _logger.info(message, ...optionalParams);
+      const sanitizedMessage = this.sanitizeError(message);
+      _logger.info && _logger.info(sanitizedMessage, ...optionalParams);
     }
   }
 
   static warn(message?: any, ...optionalParams: any[]) {
     if (_logger.logLevel === 'warn' || _logger.logLevel === 'error') {
-      _logger.warn(message, ...optionalParams);
+      const sanitizedMessage = this.sanitizeError(message);
+      _logger.warn(sanitizedMessage, ...optionalParams);
     }
   }
 
   static error(message?: any, ...optionalParams: any[]) {
     if (_logger.logLevel === 'error') {
-      _logger.error(message, ...optionalParams);
+      const sanitizedMessage = this.sanitizeError(message);
+      _logger.error(sanitizedMessage, ...optionalParams);
     }
   }
 
-  static setLogger(logger: LoggerInterface) {
+  static setLogger(logger: LoggerInterface, sdkKey: string) {
     _logger = logger;
+    _sdkKey = sdkKey;
   }
 
   static resetLogger() {
     _logger = { ...console, logLevel: 'warn' };
   }
+
+  static sanitizeError(message: any): any {
+    if (_sdkKey === null) {
+      return message;
+    }
+    try {
+      if (typeof message === 'string') {
+        return message.replace(new RegExp(_sdkKey, 'g'), '******');
+      } else if (message instanceof Error) {
+        return message.toString().replace(new RegExp(_sdkKey, 'g'), '******');
+      }
+    } catch (_e) {
+      // ignore
+    }
+    return message;
+  }
 }
diff --git a/src/__tests__/OutputLogger.test.ts b/src/__tests__/OutputLogger.test.ts
@@ -24,8 +24,8 @@ describe('Output Logger Interface', () => {
     expect(errors.length).toEqual(level === 'error' ? 3 : 0);
     if (level === 'error') {
       expect(errors).toContainEqual('statsigSDK> EventName needs to be a string of non-zero length.');
-      expect(errors).toContainEqual(new StatsigInitializeFromNetworkError(new Error(`Request to https://api.statsigcdn.com/v1/download_config_specs/${secretKey}.json?sinceTime=0 failed with status 401`)));
-      expect(errors).toContainEqual(new StatsigInitializeIDListsError(new Error('Request to https://statsigapi.net/v1/get_id_lists failed with status 401')));
+      expect(errors).toContainEqual((new StatsigInitializeFromNetworkError(new Error(`Request to https://api.statsigcdn.com/v1/download_config_specs/******.json?sinceTime=0 failed with status 401`))).toString());
+      expect(errors).toContainEqual((new StatsigInitializeIDListsError(new Error('Request to https://statsigapi.net/v1/get_id_lists failed with status 401'))).toString());
     }
     // @ts-ignore
     let event = new LogEvent(null);

diff --git a/src/index.ts b/src/index.ts
@@ -68,7 +68,7 @@ export const Statsig = {
     options: StatsigOptions = {},
   ): Promise<void> {
     if (options.logger) {
-      OutputLogger.setLogger(options.logger);
+      OutputLogger.setLogger(options.logger, secretKey);
     }
 
     const inst =