From 4f303a46e3f412fa4e741a1703fdff90d1ce8053 Mon Sep 17 00:00:00 2001
From: tchapi <cyril.chapellier@alan.eu>
Date: Sat, 4 Nov 2023 13:54:43 +0100
Subject: [PATCH] Better redaction

---
 src/Logging/Monolog/PasswordFilterProcessor.php | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/Logging/Monolog/PasswordFilterProcessor.php b/src/Logging/Monolog/PasswordFilterProcessor.php
index 0c217e2..5e88d0c 100644
--- a/src/Logging/Monolog/PasswordFilterProcessor.php
+++ b/src/Logging/Monolog/PasswordFilterProcessor.php
@@ -6,19 +6,20 @@
 
 final class PasswordFilterProcessor implements ProcessorInterface
 {
+    private const REDACTED = '****';
     private const PASSWORD_KEY = 'password';
     private const SENSITIVE_ARGS_FUNCTIONS = ['validateUserPass', 'ldapOpen', 'password_verify', 'imapOpen', 'ldap_bind', 'hashPassword', 'dav'];
 
     public function __invoke(array $record): array
     {
+        // Remove potentially sensitive data from function arguments
+        $shouldRedactArgs = array_key_exists("function", $record) && in_array($record['function'], self::SENSITIVE_ARGS_FUNCTIONS);
+
         foreach ($record as $key => $item) {
             if (self::PASSWORD_KEY === strtolower($key)) {
-                $record[$key] = '****';
-            } elseif ('function' === strtolower($key)) {
-                // Remove potentially sensitive data from function arguments
-                if (in_array($item, self::SENSITIVE_ARGS_FUNCTIONS)) {
-                    $record['args'] = ['****'];
-                }
+                $record[$key] = self::REDACTED;
+            } elseif($key === 'args' && $shouldRedactArgs) {
+                $record["args"] = [self::REDACTED];
             } elseif (is_array($item)) {
                 $record[$key] = $this($item);
             }