Merge pull request #30 from FSU-Pulchowk/alert-autofix-7

agntperfect · web-flow · commit ce308429bbdc · 2025-08-16T15:44:41.000+05:45
Potential fix for code scanning alert no. 7: Clear-text logging of sensitive information
diff --git a/src/utils/debug.js b/src/utils/debug.js
@@ -147,6 +147,45 @@ class DebugConfig {
 		return data;
 	}
 
+	/**
+	 * Force sanitize sensitive data from objects before logging, regardless of global settings.
+	 * @param {any} data Data to sanitize
+	 * @returns {any} Sanitized data
+	 */
+	_forceSanitizeData(data) {
+		if (data === null || data === undefined) {
+			return data;
+		}
+		// List of sensitive keys to always redact (add more as needed)
+		const sensitivePatterns = [
+			'password', 'secret', 'token', 'key', 'api', 'auth', 'session', 'credential', 'env', 'BIRTHDAY_ANNOUNCEMENT_CHANNEL_ID'
+		];
+		const redact = (obj) => {
+			if (typeof obj !== 'object' || obj === null) return obj;
+			if (Array.isArray(obj)) return obj.map(redact);
+			const result = {};
+			for (const k of Object.keys(obj)) {
+				const lowerK = k.toLowerCase();
+				if (sensitivePatterns.some(pattern => lowerK.includes(pattern))) {
+					result[k] = '[REDACTED]';
+				} else if (typeof obj[k] === 'object' && obj[k] !== null) {
+					result[k] = redact(obj[k]);
+				} else {
+					result[k] = obj[k];
+				}
+			}
+			return result;
+		};
+		// If the data is process.env or contains process.env, redact all values
+		if (
+			(typeof process !== 'undefined' && data === process.env) ||
+			(data && typeof data === 'object' && Object.keys(process.env || {}).some(envKey => Object.prototype.hasOwnProperty.call(data, envKey)))
+		) {
+			return '[REDACTED: process.env]';
+		}
+		return redact(data);
+	}
+
 	/**
 	 * Limit data output length to prevent log flooding
 	 * @param {any} data Data to limit
@@ -344,8 +383,9 @@ node your_script.js -d --debug-no-sanitize          # Disable sanitization (NOT
 		if (this.debugStream) this.debugStream.write(sanitizedMessage + '\n');
 		}
 		if (data !== null) {
-		// Data should already be sanitized and limited before being passed here
-		const formattedData = JSON.stringify(data, null, 2);
+		// Always force sanitization of data before logging, regardless of global settings
+		const forceSanitizedData = this._forceSanitizeData(data);
+		const formattedData = JSON.stringify(forceSanitizedData, null, 2);
 		console.log(formattedData);
 		if (this.debugStream) this.debugStream.write(formattedData + '\n');
 		}
