feat: add injectable LoggerSanitizer to mask credentials in logs

Introduce LoggerSanitizer service that automatically masks credentials in log messages to prevent sensitive data leakage (e.g., proxy URLs with username:password).

- Add LoggerSanitizer interface and DefaultLoggerSanitizer implementation
- Integrate sanitizer into Logger.format() for all string messages and errors
- Support any URL protocol with credentials (protocol://user:pass@host)
- Make sanitizer injectable and optional for backward compatibility
- Allow adopters to extend or replace sanitization behavior via rebind
- Add unit test cases

Contributed on behalf of STMicroelectronics

Author: ndoschek

packages/core/src/common/index.ts

@@ -26,6 +26,7 @@ export * from './event';
 export * from './inversify-utils';
 export * from './listener';
 export * from './logger';
+export * from './logger-sanitizer';
 export * from './lsp-types';
 export * from './menu';
 export * from './message-rpc';

packages/core/src/common/logger-binding.ts

@@ -17,6 +17,7 @@
 import { interfaces } from 'inversify';
 import { ILogger, Logger, LoggerName, rootLoggerName } from './logger';
 import { LoggerWatcher } from './logger-watcher';
+import { DefaultLoggerSanitizer, LoggerSanitizer } from './logger-sanitizer';
 
 export function bindCommonLogger(bind: interfaces.Bind): void {
     bind(LoggerName).toConstantValue(rootLoggerName);
@@ -26,6 +27,7 @@ export function bindCommonLogger(bind: interfaces.Bind): void {
         return logger.child(getName(ctx.currentRequest)!);
     }).when(request => getName(request) !== undefined);
     bind(LoggerWatcher).toSelf().inSingletonScope();
+    bind(LoggerSanitizer).to(DefaultLoggerSanitizer).inSingletonScope();
 }
 
 function getName(request: interfaces.Request): string | undefined {

packages/core/src/common/logger-sanitizer.spec.ts

@@ -0,0 +1,168 @@
+// *****************************************************************************
+// Copyright (C) 2025 STMicroelectronics GmbH.
+//
+// This program and the accompanying materials are made available under the
+// terms of the Eclipse Public License v. 2.0 which is available at
+// http://www.eclipse.org/legal/epl-2.0.
+//
+// This Source Code may also be made available under the following Secondary
+// Licenses when the conditions for such availability set forth in the Eclipse
+// Public License v. 2.0 are satisfied: GNU General Public License, version 2
+// with the GNU Classpath Exception which is available at
+// https://www.gnu.org/software/classpath/license.html.
+//
+// SPDX-License-Identifier: EPL-2.0 OR GPL-2.0-only WITH Classpath-exception-2.0
+// *****************************************************************************
+
+import { expect } from 'chai';
+import { DefaultLoggerSanitizer } from './logger-sanitizer';
+
+describe('DefaultLoggerSanitizer', () => {
+    let sanitizer: DefaultLoggerSanitizer;
+
+    beforeEach(() => {
+        sanitizer = new DefaultLoggerSanitizer();
+    });
+
+    describe('sanitize', () => {
+        it('should mask credentials in http URL', () => {
+            const message = 'http://username:[email protected]:8080';
+            const sanitized = sanitizer.sanitize(message);
+            expect(sanitized).to.equal('http://****:****@proxy.example.com:8080');
+        });
+
+        it('should mask credentials in https URL', () => {
+            const message = 'https://user:[email protected]:443/path';
+            const sanitized = sanitizer.sanitize(message);
+            expect(sanitized).to.equal('https://****:****@secure-proxy.com:443/path');
+        });
+
+        it('should return URL unchanged if no credentials present', () => {
+            const message = 'http://proxy.example.com:8080';
+            const sanitized = sanitizer.sanitize(message);
+            expect(sanitized).to.equal('http://proxy.example.com:8080');
+        });
+
+        it('should return empty string for empty string input', () => {
+            const sanitized = sanitizer.sanitize('');
+            expect(sanitized).to.equal('');
+        });
+
+        it('should handle complex passwords with special characters', () => {
+            const message = 'http://user:p%40ss%[email protected]:8080';
+            const sanitized = sanitizer.sanitize(message);
+            expect(sanitized).to.equal('http://****:****@proxy.com:8080');
+        });
+
+        it('should handle URL with path and query parameters', () => {
+            const message = 'http://user:[email protected]:8080/path?query=value';
+            const sanitized = sanitizer.sanitize(message);
+            expect(sanitized).to.equal('http://****:****@proxy.com:8080/path?query=value');
+        });
+
+        it('should mask credentials in ftp URL', () => {
+            const message = 'ftp://user:[email protected]';
+            const sanitized = sanitizer.sanitize(message);
+            expect(sanitized).to.equal('ftp://****:****@ftp.example.com');
+        });
+
+        it('should mask credentials in sftp URL', () => {
+            const message = 'sftp://user:[email protected]:22/path';
+            const sanitized = sanitizer.sanitize(message);
+            expect(sanitized).to.equal('sftp://****:****@sftp.example.com:22/path');
+        });
+
+        it('should mask credentials in ssh URL', () => {
+            const message = 'ssh://git:[email protected]/repo';
+            const sanitized = sanitizer.sanitize(message);
+            expect(sanitized).to.equal('ssh://****:****@github.com/repo');
+        });
+
+        it('should mask credentials in ws URL', () => {
+            const message = 'ws://user:[email protected]';
+            const sanitized = sanitizer.sanitize(message);
+            expect(sanitized).to.equal('ws://****:****@websocket.example.com');
+        });
+
+        it('should mask credentials in wss URL', () => {
+            const message = 'wss://user:[email protected]';
+            const sanitized = sanitizer.sanitize(message);
+            expect(sanitized).to.equal('wss://****:****@secure-websocket.example.com');
+        });
+
+        it('should mask credentials in socks proxy URL', () => {
+            const message = 'socks://user:[email protected]:1080';
+            const sanitized = sanitizer.sanitize(message);
+            expect(sanitized).to.equal('socks://****:****@socks-proxy.com:1080');
+        });
+
+        it('should mask credentials in socks4 proxy URL', () => {
+            const message = 'socks4://user:[email protected]:1080';
+            const sanitized = sanitizer.sanitize(message);
+            expect(sanitized).to.equal('socks4://****:****@socks4-proxy.com:1080');
+        });
+
+        it('should mask credentials in socks5 proxy URL', () => {
+            const message = 'socks5://user:[email protected]:1080';
+            const sanitized = sanitizer.sanitize(message);
+            expect(sanitized).to.equal('socks5://****:****@socks5-proxy.com:1080');
+        });
+
+        it('should mask credentials in git URL', () => {
+            const message = 'git://user:[email protected]/org/repo.git';
+            const sanitized = sanitizer.sanitize(message);
+            expect(sanitized).to.equal('git://****:****@github.com/org/repo.git');
+        });
+
+        it('should not mask mailto links (no credentials format)', () => {
+            const message = 'mailto:[email protected]';
+            const sanitized = sanitizer.sanitize(message);
+            expect(sanitized).to.equal('mailto:[email protected]');
+        });
+
+        it('should mask credentials in any protocol with standard URL format', () => {
+            const message = 'customprotocol://user:[email protected]';
+            const sanitized = sanitizer.sanitize(message);
+            expect(sanitized).to.equal('customprotocol://****:****@custom.server.com');
+        });
+
+        it('should be case-insensitive for protocol', () => {
+            const message = 'HTTP://user:[email protected]:8080';
+            const sanitized = sanitizer.sanitize(message);
+            expect(sanitized).to.equal('HTTP://****:****@proxy.com:8080');
+        });
+
+        it('should mask multiple URLs in a single string', () => {
+            const message = 'Connecting to http://user1:[email protected] and http://user2:[email protected]';
+            const sanitized = sanitizer.sanitize(message);
+            expect(sanitized).to.equal('Connecting to http://****:****@proxy1.com and http://****:****@proxy2.com');
+        });
+
+        it('should mask multiple URLs with different protocols', () => {
+            const message = 'HTTP: http://u:[email protected], SOCKS: socks5://u:[email protected], Git: git://u:[email protected]';
+            const sanitized = sanitizer.sanitize(message);
+            expect(sanitized).to.equal('HTTP: http://****:****@h1.com, SOCKS: socks5://****:****@h2.com, Git: git://****:****@h3.com');
+        });
+
+        it('should mask credentials in log messages containing URLs', () => {
+            const message = 'Failed to connect to http://admin:[email protected]:8080';
+            const sanitized = sanitizer.sanitize(message);
+            expect(sanitized).to.equal('Failed to connect to http://****:****@internal-proxy.com:8080');
+        });
+
+        it('should handle error stack traces with URLs', () => {
+            const stack = `Error: Connection failed
+    at Request.http://user:[email protected]:8080/api
+    at processRequest (index.js:10:5)`;
+            const sanitized = sanitizer.sanitize(stack);
+            expect(sanitized).to.contain('http://****:****@proxy.com:8080');
+            expect(sanitized).not.to.contain('user:pass');
+        });
+
+        it('should return message unchanged if no sensitive data', () => {
+            const message = 'Normal log message without sensitive data';
+            const sanitized = sanitizer.sanitize(message);
+            expect(sanitized).to.equal(message);
+        });
+    });
+});

packages/core/src/common/logger-sanitizer.ts

@@ -0,0 +1,87 @@
+// *****************************************************************************
+// Copyright (C) 2025 STMicroelectronics GmbH.
+//
+// This program and the accompanying materials are made available under the
+// terms of the Eclipse Public License v. 2.0 which is available at
+// http://www.eclipse.org/legal/epl-2.0.
+//
+// This Source Code may also be made available under the following Secondary
+// Licenses when the conditions for such availability set forth in the Eclipse
+// Public License v. 2.0 are satisfied: GNU General Public License, version 2
+// with the GNU Classpath Exception which is available at
+// https://www.gnu.org/software/classpath/license.html.
+//
+// SPDX-License-Identifier: EPL-2.0 OR GPL-2.0-only WITH Classpath-exception-2.0
+// *****************************************************************************
+
+import { injectable } from 'inversify';
+
+export const LoggerSanitizer = Symbol('LoggerSanitizer');
+
+/**
+ * Service for sanitizing log messages to remove sensitive information.
+ *
+ * Adopters can rebind this service to customize sanitization behavior,
+ * for example to mask additional patterns like API keys or tokens.
+ *
+ * @example
+ * ```ts
+ * // Custom sanitizer that extends the default behavior
+ * @injectable()
+ * class CustomLoggerSanitizer extends DefaultLoggerSanitizer {
+ *     override sanitize(message: string): string {
+ *         let sanitized = super.sanitize(message);
+ *         // Add custom sanitization, e.g., mask API keys
+ *         sanitized = sanitized.replace(/api[_-]?key[=:]\s*['"]?[\w-]+['"]?/gi, 'api_key=****');
+ *         return sanitized;
+ *     }
+ * }
+ *
+ * // In your module:
+ * rebind(LoggerSanitizer).to(CustomLoggerSanitizer).inSingletonScope();
+ * ```
+ */
+export interface LoggerSanitizer {
+    /**
+     * Sanitizes a log message by masking sensitive information.
+     *
+     * @param message The log message to sanitize
+     * @returns The sanitized message with sensitive data masked
+     */
+    sanitize(message: string): string;
+}
+
+/**
+ * Regex pattern to match URLs with credentials.
+ * Matches any URL with format: protocol://user:pass@host
+ * Protocol is any sequence of alphanumeric characters followed by ://
+ */
+const URL_CREDENTIALS_PATTERN = /([a-z][a-z0-9+.-]*:\/\/)([^:]+):([^@]+)@/gi;
+
+/**
+ * Default implementation of LoggerSanitizer that masks credentials in URLs.
+ *
+ * Currently masks:
+ * - Credentials in any URL with format protocol://user:pass@host
+ *   (e.g., http://user:pass@host -> http://****:****@host)
+ *
+ * Adopters can extend this class to add additional sanitization patterns.
+ */
+@injectable()
+export class DefaultLoggerSanitizer implements LoggerSanitizer {
+
+    sanitize(message: string): string {
+        return this.maskUrlCredentials(message);
+    }
+
+    /**
+     * Masks credentials in URLs within the message.
+     * Replaces username:password with ****:****
+     *
+     * @param message The message potentially containing URLs with credentials
+     * @returns The message with URL credentials masked
+     */
+    protected maskUrlCredentials(message: string): string {
+        return message.replace(URL_CREDENTIALS_PATTERN, '$1****:****@');
+    }
+}

packages/core/src/common/logger.spec.ts

@@ -16,7 +16,29 @@
 
 import { expect } from 'chai';
 import { MockLogger } from './test/mock-logger';
-import { setRootLogger, unsetRootLogger } from './logger';
+import { setRootLogger, unsetRootLogger, Logger } from './logger';
+import { DefaultLoggerSanitizer, LoggerSanitizer } from './logger-sanitizer';
+
+/* eslint-disable @typescript-eslint/no-explicit-any */
+
+/**
+ * Testable subclass of Logger that exposes protected methods for testing.
+ */
+class TestableLogger extends Logger {
+    constructor(sanitizer?: LoggerSanitizer) {
+        super();
+        // Bypass dependency injection for testing
+        (this as any).sanitizer = sanitizer;
+    }
+
+    public testFormat(value: any): any {
+        return this.format(value);
+    }
+
+    public testSanitize(message: string): string {
+        return this.sanitize(message);
+    }
+}
 
 describe('logger', () => {
 
@@ -43,4 +65,86 @@ describe('logger', () => {
         ).to.not.throw(ReferenceError);
     });
 
+    describe('Logger sanitization', () => {
+        let loggerWithSanitizer: TestableLogger;
+        let loggerWithoutSanitizer: TestableLogger;
+
+        beforeEach(() => {
+            loggerWithSanitizer = new TestableLogger(new DefaultLoggerSanitizer());
+            loggerWithoutSanitizer = new TestableLogger(undefined);
+        });
+
+        describe('format', () => {
+            it('should sanitize string messages with credentials', () => {
+                const message = 'Connecting to http://user:[email protected]:8080';
+                const formatted = loggerWithSanitizer.testFormat(message);
+                expect(formatted).to.equal('Connecting to http://****:****@proxy.com:8080');
+            });
+
+            it('should sanitize error stack traces with credentials', () => {
+                const error = new Error('Connection failed to http://admin:[email protected]');
+                const formatted = loggerWithSanitizer.testFormat(error);
+                expect(formatted).to.include('http://****:****@server.com');
+                expect(formatted).not.to.include('admin:secret');
+            });
+
+            it('should return non-string values unchanged', () => {
+                const obj = { url: 'http://user:[email protected]' };
+                const formatted = loggerWithSanitizer.testFormat(obj);
+                expect(formatted).to.equal(obj);
+            });
+
+            it('should return numbers unchanged', () => {
+                const formatted = loggerWithSanitizer.testFormat(42);
+                expect(formatted).to.equal(42);
+            });
+
+            it('should handle messages without credentials', () => {
+                const message = 'Normal log message';
+                const formatted = loggerWithSanitizer.testFormat(message);
+                expect(formatted).to.equal('Normal log message');
+            });
+        });
+
+        describe('sanitize without sanitizer', () => {
+            it('should return message unchanged when no sanitizer is injected', () => {
+                const message = 'http://user:[email protected]:8080';
+                const sanitized = loggerWithoutSanitizer.testSanitize(message);
+                expect(sanitized).to.equal(message);
+            });
+        });
+
+        describe('sanitize with sanitizer', () => {
+            it('should mask credentials in URLs', () => {
+                const message = 'http://user:[email protected]:8080';
+                const sanitized = loggerWithSanitizer.testSanitize(message);
+                expect(sanitized).to.equal('http://****:****@proxy.com:8080');
+            });
+
+            it('should mask multiple URLs in a single message', () => {
+                const message = 'Primary: http://u1:[email protected], Fallback: https://u2:[email protected]';
+                const sanitized = loggerWithSanitizer.testSanitize(message);
+                expect(sanitized).to.equal('Primary: http://****:****@proxy1.com, Fallback: https://****:****@proxy2.com');
+            });
+
+            it('should mask credentials across different protocols', () => {
+                const message = 'Proxies: socks5://u:[email protected], ftp://u:[email protected], wss://u:[email protected]';
+                const sanitized = loggerWithSanitizer.testSanitize(message);
+                expect(sanitized).to.equal('Proxies: socks5://****:****@socks.com, ftp://****:****@ftp.com, wss://****:****@ws.com');
+            });
+        });
+
+        describe('custom sanitizer', () => {
+            it('should allow custom sanitizer implementation', () => {
+                const customSanitizer: LoggerSanitizer = {
+                    sanitize: (msg: string) => msg.replace(/secret/gi, '***')
+                };
+                const loggerWithCustomSanitizer = new TestableLogger(customSanitizer);
+
+                const message = 'The secret code is SECRET';
+                const sanitized = loggerWithCustomSanitizer.testSanitize(message);
+                expect(sanitized).to.equal('The *** code is ***');
+            });
+        });
+    });
 });