Feature request - redact known value #2102
Comments
|
I believe you are looking for https://getpino.io/#/docs/api?id=logmethod |
|
@jsumners - thanks for replying :) That's what I'm playing with now, but I'm hoping to hook in later in the process, because I just care about redacting things from the final output. This could be either during or after serializing everything passed into the logger into strings or at least plain objects. I guess this would be right after the existing redaction code runs. I did start to mess around with the stringifier and formatter stuff, but it felt very hacky. |
|
I do not understand the ask. That log hook should be exactly what you need. |
|
From what I understand, the order of operations is:
I'd like to be able to call my function after all of this has run. I would imagine this could be a new kind of hook. 
|
|
If you want to redact based on content, what does the order matter? |
|
The ordering with regards to the existing redaction stuff doesn’t really matter so much, but the problem is that until the custom serializers run, I may be dealing with custom classes and I don’t don’t know what the serialized version will look like. It may contain sensitive properties, but they may not be part of the serialized output. Regardless I don’t want to modify or clone the raw object. Imagine a request object with auth headers that are sensitive. At the point of the hook firing, I just have a fancy class instance with lots of properties that I can’t modify. And I can’t make any assumptions about how to serialize it - that’s what the custom serializers are for. After serialization, I should have a plain object that I can check and redact from. Plus I have no idea if the serializer (or formatters?) may introduce additional data that should be redacted (unlikely but possible). I just want to operate on the final data, just before it is sent off to various transports. |
|
My suggestion, in that case, is to handle it at the source: 'use strict'
const pino = require('pino')
const log = pino()
const p = {
toJSON () {
const json = {}
if (this.foo === 42) {
json.foo = 'redacted'
} else {
json.foo = this.foo
}
return json
}
}
const a = Object.create(p)
a.foo = 42
log.info({a})
// {"level":30,"time":1733309485514,"pid":70572,"hostname":"no","a":{"foo":"redacted"}}
a.foo = 'bar'
log.info({a})
// {"level":30,"time":1733309485516,"pid":70572,"hostname":"no","a":{"foo":"bar"}} |
|
That would work if I had full control over everything, but I'm building dev tools that help users manage configuration and secrets. So my tool has knowledge of all the sensitive config values, but not control over how our users will be handling serialization and logging more generally. Of course I could provide additional utility functions that users could wire up explicitly, but it seems like a single hook should be possible to just scrub the values later in the process. |
I'm trying to inject some behaviour that would redact specific known values (rather than using keys) from logs, before they are sent off to wherever they are going. I have not dug in too deep yet, but I assume at some point, everything must be serialized to a string - or at least converted into plain objects - before getting sent off to various transports. From what I can tell, the current hooks and plugins functionality will not let me inject this behaviour, but any guidance is much appreciated!
I understand I could use a custom transport, but the idea here would be to protect these values from being included in any existing log destinations, with minimal user effort.
There was some related discussion here, although in this case, the request was more about using a regex to detect sensitive info, which would obviously be tough to handle in a performant way.
Thanks!
The text was updated successfully, but these errors were encountered: