From f24c06852e0bf6d672b58b784ce34d96581c2c03 Mon Sep 17 00:00:00 2001
From: Meier Lukas <meierschlumpf@gmail.com>
Date: Mon, 30 Sep 2024 21:59:21 +0200
Subject: [PATCH] fix: sensitive data can be leaked through query parameters
 (#1208)

---
 apps/tasks/src/undici-log-agent-override.ts | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/apps/tasks/src/undici-log-agent-override.ts b/apps/tasks/src/undici-log-agent-override.ts
index 8dfe9e8a3..79d443e86 100644
--- a/apps/tasks/src/undici-log-agent-override.ts
+++ b/apps/tasks/src/undici-log-agent-override.ts
@@ -9,8 +9,21 @@ class LoggingAgent extends Agent {
   }
 
   dispatch(options: Dispatcher.DispatchOptions, handler: Dispatcher.DispatchHandlers): boolean {
+    const url = new URL(`${options.origin as string}${options.path}`);
+
+    // The below code should prevent sensitive data from being logged as
+    // some integrations use query parameters for auth
+    url.searchParams.forEach((value, key) => {
+      if (value === "") return; // Skip empty values
+      if (/^\d{1,12}$/.test(value)) return; // Skip small numbers
+      if (value === "true" || value === "false") return; // Skip boolean values
+      if (/^[a-zA-Z]{1,12}$/.test(value)) return; // Skip short strings
+
+      url.searchParams.set(key, "REDACTED");
+    });
+
     logger.info(
-      `Dispatching request ${options.method} ${options.origin as string}${options.path} (${Object.keys(options.headers as object).length} headers)`,
+      `Dispatching request ${url.toString().replaceAll("=&", "&")} (${Object.keys(options.headers as object).length} headers)`,
     );
     return super.dispatch(options, handler);
   }