From ec6bc9111af62ab962a20d88211944b18ceac820 Mon Sep 17 00:00:00 2001 From: YJ Date: Fri, 28 Dec 2018 18:54:25 +0800 Subject: [PATCH 1/5] don't show password in plaintext in console --- packages/api/src/transport/ws/ws.js | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/packages/api/src/transport/ws/ws.js b/packages/api/src/transport/ws/ws.js index eda9e378..c8704dae 100644 --- a/packages/api/src/transport/ws/ws.js +++ b/packages/api/src/transport/ws/ws.js @@ -261,6 +261,11 @@ class Ws extends JsonRpcBase { // Don't print error if request rejected or not is not yet up... if (!/(rejected|not yet up)/.test(result.error.message)) { + var dangerous_methods = ['signer_confirmRequest', 'signer_confirmRequestWithToken']; + if (dangerous_methods.includes(method)) { + params.pop(); + } + console.error(`${method}(${JSON.stringify(params)}): ${result.error.code}: ${result.error.message}`); } From 60702d51b5dbeeea24fd48723f3cdbcabeb76e15 Mon Sep 17 00:00:00 2001 From: YJ Date: Wed, 2 Jan 2019 12:27:21 +0800 Subject: [PATCH 2/5] make *** --- packages/api/src/transport/ws/ws.js | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/packages/api/src/transport/ws/ws.js b/packages/api/src/transport/ws/ws.js index c8704dae..02be2754 100644 --- a/packages/api/src/transport/ws/ws.js +++ b/packages/api/src/transport/ws/ws.js @@ -261,12 +261,14 @@ class Ws extends JsonRpcBase { // Don't print error if request rejected or not is not yet up... if (!/(rejected|not yet up)/.test(result.error.message)) { - var dangerous_methods = ['signer_confirmRequest', 'signer_confirmRequestWithToken']; + const dangerous_methods = ['signer_confirmRequest', 'signer_confirmRequestWithToken']; + let safe_params; if (dangerous_methods.includes(method)) { - params.pop(); + safe_params = params.slice(); + safe_params[params.length - 1] = '***'; } - console.error(`${method}(${JSON.stringify(params)}): ${result.error.code}: ${result.error.message}`); + console.error(`${method}(${JSON.stringify(`${params || safe_params}`)}): ${result.error.code}: ${result.error.message}`); } const error = new TransportError(method, result.error.code, result.error.message); From b795674ee0989be2aef41934e06ccc7f3224c6d3 Mon Sep 17 00:00:00 2001 From: YJ Date: Wed, 2 Jan 2019 12:29:32 +0800 Subject: [PATCH 3/5] make *** --- packages/api/src/transport/ws/ws.js | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/packages/api/src/transport/ws/ws.js b/packages/api/src/transport/ws/ws.js index c8704dae..0d8bf263 100644 --- a/packages/api/src/transport/ws/ws.js +++ b/packages/api/src/transport/ws/ws.js @@ -261,12 +261,14 @@ class Ws extends JsonRpcBase { // Don't print error if request rejected or not is not yet up... if (!/(rejected|not yet up)/.test(result.error.message)) { - var dangerous_methods = ['signer_confirmRequest', 'signer_confirmRequestWithToken']; + const dangerous_methods = ['signer_confirmRequest', 'signer_confirmRequestWithToken']; + let safe_params; if (dangerous_methods.includes(method)) { - params.pop(); + safe_params = params.slice(); + safe_params[params.length - 1] = '***'; } - console.error(`${method}(${JSON.stringify(params)}): ${result.error.code}: ${result.error.message}`); + console.error(`${method}(${JSON.stringify(`${safe_params || params}`)}): ${result.error.code}: ${result.error.message}`); } const error = new TransportError(method, result.error.code, result.error.message); From a577e2baa8dbca33423e55ca9a85cead124f4393 Mon Sep 17 00:00:00 2001 From: Amaury Martiny Date: Wed, 2 Jan 2019 22:10:36 +0800 Subject: [PATCH 4/5] Update packages/api/src/transport/ws/ws.js Co-Authored-By: yjkimjunior --- packages/api/src/transport/ws/ws.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/api/src/transport/ws/ws.js b/packages/api/src/transport/ws/ws.js index 0d8bf263..d65e81ce 100644 --- a/packages/api/src/transport/ws/ws.js +++ b/packages/api/src/transport/ws/ws.js @@ -268,7 +268,7 @@ class Ws extends JsonRpcBase { safe_params[params.length - 1] = '***'; } - console.error(`${method}(${JSON.stringify(`${safe_params || params}`)}): ${result.error.code}: ${result.error.message}`); + console.error(`${method}(${JSON.stringify(safe_params || params)}): ${result.error.code}: ${result.error.message}`); } const error = new TransportError(method, result.error.code, result.error.message); From 71fbf5a20d5019886e2cc55668fb6787ff8d23e2 Mon Sep 17 00:00:00 2001 From: YJ Date: Wed, 2 Jan 2019 22:23:54 +0800 Subject: [PATCH 5/5] add comment explaining the issue --- packages/api/src/transport/ws/ws.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/packages/api/src/transport/ws/ws.js b/packages/api/src/transport/ws/ws.js index d65e81ce..bfe41ed0 100644 --- a/packages/api/src/transport/ws/ws.js +++ b/packages/api/src/transport/ws/ws.js @@ -261,6 +261,9 @@ class Ws extends JsonRpcBase { // Don't print error if request rejected or not is not yet up... if (!/(rejected|not yet up)/.test(result.error.message)) { + // fether Issue #317 + // js-libs Issue #77 Masks the password param when logging error to console on methods that contain it as a param. + // e.g. ["0x2",{},"myincorrectpassword"] -> ["0x2",{},"***"] const dangerous_methods = ['signer_confirmRequest', 'signer_confirmRequestWithToken']; let safe_params; if (dangerous_methods.includes(method)) {