#36 CRITICAL: add .max(128) to all password Zod schemas to prevent Argon2-based DoS from unbounded password strings. #46 HIGH: configure pino redact paths so passwords/tokens/cookies/TOTP secrets are never serialized in logs. #58 MEDIUM: upgrade dompurify to ^3.4.0 and add pnpm overrides for brace-expansion (>=5.0.5) and esbuild (>=0.25.0) to patch known CVEs. Vite moderate (path traversal, dev-only) remains — requires vitest 3.x major upgrade, deferred. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -5,15 +5,53 @@ const isProduction = process.env["NODE_ENV"] === "production";
|
||||
const LOG_LEVEL = process.env["LOG_LEVEL"] ?? "info";
|
||||
const devDestination = pino.destination({ dest: 1, sync: true });
|
||||
|
||||
const REDACT_PATHS = [
|
||||
"password",
|
||||
"*.password",
|
||||
"*.*.password",
|
||||
"newPassword",
|
||||
"*.newPassword",
|
||||
"currentPassword",
|
||||
"*.currentPassword",
|
||||
"passwordHash",
|
||||
"*.passwordHash",
|
||||
"token",
|
||||
"*.token",
|
||||
"*.*.token",
|
||||
"accessToken",
|
||||
"*.accessToken",
|
||||
"refreshToken",
|
||||
"*.refreshToken",
|
||||
"apiKey",
|
||||
"*.apiKey",
|
||||
"authorization",
|
||||
"*.authorization",
|
||||
"cookie",
|
||||
"*.cookie",
|
||||
"totp",
|
||||
"*.totp",
|
||||
"totpSecret",
|
||||
"*.totpSecret",
|
||||
"secret",
|
||||
"*.secret",
|
||||
"req.headers.authorization",
|
||||
"req.headers.cookie",
|
||||
'res.headers["set-cookie"]',
|
||||
];
|
||||
|
||||
const redactConfig = { paths: REDACT_PATHS, censor: "[REDACTED]" };
|
||||
|
||||
export const logger = isProduction
|
||||
? pino({
|
||||
level: LOG_LEVEL,
|
||||
base: { service: "capakraken-api" },
|
||||
redact: redactConfig,
|
||||
})
|
||||
: pino(
|
||||
{
|
||||
level: LOG_LEVEL,
|
||||
base: { service: "capakraken-api" },
|
||||
redact: redactConfig,
|
||||
formatters: {
|
||||
level(label: string) {
|
||||
return { level: label };
|
||||
|
||||
Reference in New Issue
Block a user