debug: Hide sensitive from SASL2

xmppjs · Dec 23, 2024 · 43f84a6 · 43f84a6
1 parent 6835611
commit 43f84a6
Show file tree

Hide file tree

Showing 3 changed files with 73 additions and 4 deletions.
diff --git a/packages/debug/README.md b/packages/debug/README.md
@@ -2,7 +2,7 @@
 
 Prints logs and debug information to the console for an entity.
 
-Sensitive information (authentication) is replaced with `<hidden xmlns="xmpp.js"/>`
+⚠️ debug makes a best effort to replace sensitive information with `<hidden xmlns="xmpp.js"/>` but be careful not to share secrets when sharing logs.
 
 ## Install
 

diff --git a/packages/debug/index.js b/packages/debug/index.js
@@ -5,6 +5,7 @@ import clone from "ltx/lib/clone.js";
 /* eslint no-console: 0 */
 
 const NS_SASL = "urn:ietf:params:xml:ns:xmpp-sasl";
+const NS_SASL2 = "urn:xmpp:sasl:2";
 const NS_COMPONENT = "jabber:component:accept";
 
 const SENSITIVES = [
@@ -13,6 +14,8 @@ const SENSITIVES = [
   ["challenge", NS_SASL],
   ["response", NS_SASL],
   ["success", NS_SASL],
+  ["challenge", NS_SASL2],
+  ["response", NS_SASL2],
 ];
 
 function isSensitive(element) {
@@ -22,17 +25,27 @@ function isSensitive(element) {
   });
 }
 
-export function hideSensitive(element) {
-  if (isSensitive(element)) {
+function hide(element) {
+  if (element) {
     element.children = [];
     element.append(xml("hidden", { xmlns: "xmpp.js" }));
   }
+}
+
+export function hideSensitive(element) {
+  if (isSensitive(element)) {
+    hide(element);
+  } else if (element.is("authenticate", NS_SASL2)) {
+    hide(element.getChild("initial-response"));
+  } else if (element.getNS() === NS_SASL2) {
+    hide(element.getChild("additional-data"));
+  }
 
   return element;
 }
 
 function format(element) {
-  return stringify(hideSensitive(clone(element), 2));
+  return stringify(hideSensitive(clone(element)), 2);
 }
 
 export default function debug(entity, force) {

diff --git a/packages/debug/test.js b/packages/debug/test.js
@@ -40,6 +40,62 @@ test("SASL", () => {
   );
 });
 
+test("SASL2", () => {
+  expect(
+    hideSensitive(
+      <authenticate xmlns="urn:xmpp:sasl:2" mechanism="SCRAM-SHA-1-PLUS">
+        <initial-response>
+          cD10bHMtZXhwb3J0ZXIsLG49dXNlcixyPTEyQzRDRDVDLUUzOEUtNEE5OC04RjZELTE1QzM4RjUxQ0NDNg==
+        </initial-response>
+      </authenticate>,
+    ),
+  ).toEqual(
+    <authenticate xmlns="urn:xmpp:sasl:2" mechanism="SCRAM-SHA-1-PLUS">
+      <initial-response>
+        <hidden xmlns="xmpp.js" />
+      </initial-response>
+    </authenticate>,
+  );
+
+  expect(
+    hideSensitive(
+      <challenge xmlns="urn:xmpp:sasl:2">
+        cj0xMkM0Q0Q1Qy1FMzhFLTRBOTgtOEY2RC0xNUMzOEY1MUNDQzZhMDkxMTdhNi1hYzUwLTRmMmYtOTNmMS05Mzc5OWMyYmRkZjYscz1RU1hDUitRNnNlazhiZjkyLGk9NDA5Ng==
+      </challenge>,
+    ),
+  ).toEqual(
+    <challenge xmlns="urn:xmpp:sasl:2">
+      <hidden xmlns="xmpp.js" />
+    </challenge>,
+  );
+
+  expect(
+    hideSensitive(
+      <response xmlns="urn:xmpp:sasl:2">
+        Yz1jRDEwYkhNdFpYaHdiM0owWlhJc0xNY29Rdk9kQkRlUGQ0T3N3bG1BV1YzZGcxYTFXaDF0WVBUQndWaWQxMFZVLHI9MTJDNENENUMtRTM4RS00QTk4LThGNkQtMTVDMzhGNTFDQ0M2YTA5MTE3YTYtYWM1MC00ZjJmLTkzZjEtOTM3OTljMmJkZGY2LHA9VUFwbzd4bzZQYTlKK1ZhZWpmei9kRzdCb21VPQ==
+      </response>,
+    ),
+  ).toEqual(
+    <response xmlns="urn:xmpp:sasl:2">
+      <hidden xmlns="xmpp.js" />
+    </response>,
+  );
+
+  expect(
+    hideSensitive(
+      <continue xmlns="urn:xmpp:sasl:2">
+        <additional-data>SSdtIGJvcmVkIG5vdy4=</additional-data>
+      </continue>,
+    ),
+  ).toEqual(
+    <continue xmlns="urn:xmpp:sasl:2">
+      <additional-data>
+        <hidden xmlns="xmpp.js" />
+      </additional-data>
+    </continue>,
+  );
+});
+
 test("component handshake", () => {
   expect(
     hideSensitive(<handshake xmlns="jabber:component:accept">foo</handshake>),