fix: prevent axios error message from leaking sensitive data into logs (#75)

gwnlng · web-flow · commit 533e000c616e · 2023-08-03T00:08:10.000+08:00
Updated CODEOWNERS
moved ci to github actions
included response interceptor to sanitize axios error
included timeout testcase on v1 and REST api endpoints
pinned 1 dependencies package
diff --git a/.circleci/config.yml b/.circleci/config.yml
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1,2 +1,2 @@
-# Snyk Tech Services will be required for a review on every PR
-* @snyk-tech-services/snyk-tech-services
+# CS Engineering will be required for a review on every PR
+* @snyk-labs/cs-engineers
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,63 @@
+# This is a basic workflow to help you get started with Actions
+
+name: ci
+
+# Controls when the workflow will run
+on:
+  # Triggers the workflow on push or pull request events but only for the "main" branch
+  push:
+    branches:
+      - '**'
+  pull_request:
+    branches:
+      - 'master'
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  build-test:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@v3
+      - name: Setup Node.js environment
+        uses: actions/setup-node@v3
+        with:
+          node-version: 18
+      - name: Install dependencies
+        run: |
+          npm install
+      - name: Run tests
+        run: |
+          npm test
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/node@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --severity-threshold=high
+  build-test-monitor:
+    if: github.ref == 'refs/heads/master'
+    runs-on: ubuntu-latest
+    needs: build-test
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Node.js environment
+        uses: actions/setup-node@v3
+        with:
+          node-version: 18
+      - name: Install dependencies
+        run: |
+          npm install semantic-release @semantic-release/exec pkg --save-dev
+          npm install
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/node@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --org=cse-snyk-labs
+          command: monitor
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,36 @@
+name: Release action
+on:
+  push:
+    branches:
+      - master
+
+permissions:
+  contents: read # for checkout
+
+jobs:
+  build-and-publish:
+    if: github.ref == 'refs/heads/master'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+      id-token: write # to enable use of OIDC for npm provenance
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Setup Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: "lts/*"
+      - name: Install dependencies
+        run: npm install
+      - name: Verify the integrity of provenance attestations and registry signatures for installed dependencies
+        run: npm audit signatures
+      - name: Release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npx semantic-release
diff --git a/package.json b/package.json
@@ -33,6 +33,7 @@
   "homepage": "https://github.com/snyk-tech-services/snyk-request-manager#readme",
   "dependencies": {
     "@snyk/configstore": "^3.2.0-rc1",
+    "@types/babel__traverse": "7.17.1",
     "@types/debug": "^4.1.7",
     "@types/uuid": "^7.0.3",
     "axios": "0.27.2",
diff --git a/src/lib/request/request.ts b/src/lib/request/request.ts
@@ -58,6 +58,11 @@ const makeSnykRequest = async (
     },
     timeout: 30_000, // 5 mins same as Snyk APIs
   });
+  // sanitize error to avoid leaking sensitive data
+  apiClient.interceptors.response.use(undefined, async (error) => {
+    error.config.headers.Authorization = '****';
+    return Promise.reject(error);
+  });
 
   try {
     let res;
diff --git a/test/lib/request/request.test.ts b/test/lib/request/request.test.ts
@@ -30,6 +30,9 @@ beforeEach(() => {
     .reply(512, '512')
     .post(/\/genericerror/)
     .reply(512, '512')
+    .get(/\/gotimeout/)
+    .delayConnection(32000)
+    .reply(504, '504')
     .get(/\/apiautherror/)
     .reply(401, '401')
     .post(/\/apiautherror/)
@@ -206,4 +209,23 @@ describe('Test Snyk Utils error handling/classification', () => {
       expect(err).toBeInstanceOf(GenericError);
     }
   });
+
+  it('Test Timeout error on GET command', async () => {
+    try {
+      const bodyToSend = {
+        testbody: {},
+      };
+      await makeSnykRequest(
+        {
+          verb: 'GET',
+          url: '/gotimeout',
+          body: JSON.stringify(bodyToSend),
+        },
+        'token123',
+      );
+    } catch (err) {
+      expect(err).toBeInstanceOf(GenericError);
+      expect(err.message.config.headers.Authorization).toBe('****');
+    }
+  });
 });
diff --git a/test/lib/request/rest-request.test.ts b/test/lib/request/rest-request.test.ts
@@ -32,6 +32,9 @@ beforeEach(() => {
     .reply(512, '512')
     .post(/\/genericerror/)
     .reply(512, '512')
+    .get(/\/gotimeout/)
+    .delayConnection(32000)
+    .reply(504, '504')
     .get(/\/apiautherror/)
     .reply(401, '401')
     .post(/\/apiautherror/)
@@ -287,4 +290,24 @@ describe('Test Snyk Utils error handling/classification', () => {
       expect(err).toBeInstanceOf(GenericError);
     }
   });
+
+  it('Test Timeout error on GET command', async () => {
+    try {
+      const bodyToSend = {
+        testbody: {},
+      };
+      await makeSnykRequest(
+        {
+          verb: 'GET',
+          url: '/gotimeout',
+          body: JSON.stringify(bodyToSend),
+          useRESTApi: true,
+        },
+        'token123',
+      );
+    } catch (err) {
+      expect(err).toBeInstanceOf(GenericError);
+      expect(err.message.config.headers.Authorization).toBe('****');
+    }
+  });
 });
