Skip to content

feat: add injectable LoggerSanitizer to mask sensitive data in logs #16771

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
ndoschek wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

feat: add injectable LoggerSanitizer to mask sensitive data in logs #16771

ndoschek wants to merge 1 commit into from

Conversation

@ndoschek
Copy link
Member

@ndoschek ndoschek commented Dec 18, 2025
edited
Loading

What it does

Introduce LoggerSanitizer service that automatically masks credentials in log messages to prevent sensitive data leakage (e.g., proxy URLs with username:password, api keys).

  • Add LoggerSanitizer interface and DefaultLoggerSanitizer implementation
  • Integrate sanitizer into Logger.format()
  • Provide a base set of sanitization rules to mask any URL protocol with credentials, api keys and authtokens
  • Make sanitizer injectable and optional
  • Add unit test cases

How to test

  • add a proxy env variable either on cli or via the launch config, e.g. "HTTP_PROXY": "http://myusername:[email protected]:8080"
  • start an example application with loglevel debug (e.g. via npm run start:debug or via the launch configs)
    • for additional test cases open the user settings file, close the applicaiton and inspect the 'fireDidChangeContent' logs on startup (contains api keys/authtokens if stored in user settings)
  • optional: add "--log-file=example.log" to make log inspection easier
  • verify that the url containing the logged credentials/api keys/auth tokens have been masked, e.g. "HTTP_PROXY": "http://****:****@proxy.example.com:8080"

Follow-ups

Breaking changes

  • This PR introduces breaking changes and requires careful review. If yes, the breaking changes section in the changelog has been updated.

Attribution

Contributed on behalf of STMicroelectronics

Review checklist

Reminder for reviewers

@github-project-automation github-project-automation bot moved this to Waiting on reviewers in PR Backlog Dec 18, 2025
@ndoschek ndoschek force-pushed the nd/logger-sanitizer branch from e91eee0 to c50f963 Compare December 18, 2025 15:32
@ndoschek ndoschek requested a review from sdirix December 18, 2025 16:48
@ndoschek ndoschek force-pushed the nd/logger-sanitizer branch from c50f963 to f61b65c Compare December 19, 2025 13:52
@ndoschek
feat: add injectable LoggerSanitizer to mask sensitive data in logs
803d552 
Introduce LoggerSanitizer service that automatically masks credentials in log messages to prevent sensitive data leakage (e.g., proxy URLs with username:password, api keys).

- Add LoggerSanitizer interface and DefaultLoggerSanitizer implementation
- Integrate sanitizer into Logger.format()
- Provide a base set of sanitization rules to mask any URL protocol with credentials, api keys and authtokens
- Make sanitizer injectable and optional
- Add unit test cases

Contributed on behalf of STMicroelectronics
@ndoschek ndoschek force-pushed the nd/logger-sanitizer branch from f61b65c to 803d552 Compare December 22, 2025 12:36
@ndoschek ndoschek changed the title feat: add injectable LoggerSanitizer to mask credentials in logs feat: add injectable LoggerSanitizer to mask sensitive data in logs Dec 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sdirix sdirix Awaiting requested review from sdirix

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

PR Backlog
Status: Waiting on reviewers

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ndoschek