diff --git a/packages/javascript/package.json b/packages/javascript/package.json index 84eed2b1..7f9c0344 100644 --- a/packages/javascript/package.json +++ b/packages/javascript/package.json @@ -1,6 +1,6 @@ { "name": "@hawk.so/javascript", - "version": "3.2.13", + "version": "3.2.14", "description": "JavaScript errors tracking for Hawk.so", "files": [ "dist" diff --git a/packages/javascript/src/addons/consoleCatcher.ts b/packages/javascript/src/addons/consoleCatcher.ts index 16815ab0..afdd3944 100644 --- a/packages/javascript/src/addons/consoleCatcher.ts +++ b/packages/javascript/src/addons/consoleCatcher.ts @@ -3,6 +3,7 @@ */ import type { ConsoleLogEvent } from '@hawk.so/types'; import Sanitizer from '../modules/sanitizer'; +import { redactSensitiveKeys } from '../utils/sensitiveKeys'; /** * Maximum number of console logs to store @@ -72,7 +73,9 @@ export class ConsoleCatcher { */ const sanitized = Sanitizer.sanitize(arg); - return JSON.stringify(sanitized); + const redacted = redactSensitiveKeys(sanitized); + + return JSON.stringify(redacted); } /** diff --git a/packages/javascript/src/utils/sensitiveKeys.ts b/packages/javascript/src/utils/sensitiveKeys.ts new file mode 100644 index 00000000..ed659d8d --- /dev/null +++ b/packages/javascript/src/utils/sensitiveKeys.ts @@ -0,0 +1,37 @@ +/** + * Sensitive keys redaction (aligned with grouper DataFilter). + * Used in console output and anywhere we must not send secrets to Hawk. + */ + +export const SENSITIVE_KEYS = new Set([ + 'pan', + 'secret', + 'credentials', + 'card[number]', + 'password', + 'oldpassword', + 'newpassword', + 'auth', + 'access_token', + 'accesstoken', +]); + +export const FILTERED_PLACEHOLDER = '[filtered]'; + +/** + * Recursively redact values for sensitive keys in objects/arrays. + */ +export function redactSensitiveKeys(value: unknown): unknown { + if (value === null || typeof value !== 'object') { + return value; + } + if (Array.isArray(value)) { + return value.map(redactSensitiveKeys); + } + const result: Record = {}; + for (const [key, val] of Object.entries(value)) { + const keyLower = key.toLowerCase(); + result[key] = SENSITIVE_KEYS.has(keyLower) ? FILTERED_PLACEHOLDER : redactSensitiveKeys(val); + } + return result; +}