Add key name in the audit log error message (#486)

caroline-ttd · web-flow · commit b396ff2e9489 · 2025-06-25T14:54:53.000-07:00
diff --git a/src/main/java/com/uid2/shared/audit/Audit.java b/src/main/java/com/uid2/shared/audit/Audit.java
@@ -95,8 +95,8 @@ private boolean validateJsonObjectParams(JsonObject jsonObject, String propertyN
             for (String key : jsonObject.fieldNames()) {
                 String val = jsonObject.getString(key);
 
-                boolean containsNoSecret = validateNoSecrets(key, propertyName) && validateNoSecrets(val, propertyName);
-                boolean containsNoSQL = validateNoSQL(key, propertyName) && validateNoSQL(val, propertyName);
+                boolean containsNoSecret = validateNoSecrets(val, String.format("%s.%s", propertyName, key));
+                boolean containsNoSQL = validateNoSQL(val, String.format("%s.%s", propertyName, key));
 
                 if (!(containsNoSecret && containsNoSQL)) {
                     keysToRemove.add(key);
@@ -128,7 +128,7 @@ private boolean validateJsonArrayParams(JsonArray jsonArray, String propertyName
                         newJsonArray.add(object);
                     }
                 } else {
-                    toJsonValidationErrorMessageBuilder.append("The request body is a JSON array, but one of its elements is not a JSON object.");
+                    toJsonValidationErrorMessageBuilder.append(String.format("The request body is a JSON array, but one of its elements is not a JSON object: %s. ", object.toString()));
                 }
             }
 
@@ -152,7 +152,7 @@ private String sanitizeRequestBody(String requestBody) {
                     JsonArray jsonArray = new JsonArray(mapper.writeValueAsString(root));
                     if (validateJsonArrayParams(jsonArray, "request_body")) sanitizedRequestBody = jsonArray.toString();
                 } else {
-                    toJsonValidationErrorMessageBuilder.append("The request body of audit log is not a JSON object or array. ");
+                    toJsonValidationErrorMessageBuilder.append(String.format("The request body of audit log is not a JSON object or array: %s. ", requestBody));
                 }
             } catch (Exception e) {
                 toJsonValidationErrorMessageBuilder.append("The request body of audit log is Invalid JSON: ").append(e.getMessage());
diff --git a/src/test/java/com/uid2/shared/audit/AuditTest.java b/src/test/java/com/uid2/shared/audit/AuditTest.java
@@ -38,8 +38,8 @@ public class AuditTest {
     private SocketAddress mockAddress;
     private Logger logger;
     private ListAppender<ILoggingEvent> listAppender;
-    private String UID2_SECRET_KEY = "UID2-O-P-AB12cd34EF-zyX9_abCDEFghijklMNOPQRSTuvwxYZ0123";
-    private String SECRET = "jhgjy6tuygiuhi";
+    private String UID_SECRET_KEY = "UID2_SECRET_KEY";
+    private String UID_SECRET = "UID2-O-P-AB12cd34EF-zyX9_abCDEFghijklMNOPQRSTuvwxYZ0123";
     private String SQL_STATEMENT = "SELECT * FROM users WHERE username = '' OR '1'='1'";
     private String TRACE_ID = "Root=1-6825017b-2321f2302b5ea904340c1cff";
     private String UID_TRACE_ID = "Root=1-6825017b-2321f2302b5ea904340c1cfa";
@@ -140,13 +140,13 @@ public void testBodyParamsAsJsobObject() {
     @Test
     public void testBodyParamsAsJsobObjectWithSecret() {
         Mockito.when(mockRequest.method()).thenReturn(HttpMethod.POST);
-        AuditParams params = new AuditParams(null, Arrays.asList("name.first", "location", UID2_SECRET_KEY));
+        AuditParams params = new AuditParams(null, Arrays.asList("name.first", "location", UID_SECRET_KEY));
 
         RequestBody mockBody = Mockito.mock(RequestBody.class);
         JsonObject json = new JsonObject()
                 .put("name", new JsonObject().put("first", "uid2_user"))
                 .put("location", "seattle")
-                .put(UID2_SECRET_KEY, SECRET);
+                .put(UID_SECRET_KEY, UID_SECRET);
 
         Mockito.when(mockCtx.body()).thenReturn(mockBody);
         Mockito.when(mockBody.buffer()).thenReturn(Buffer.buffer(json.toString()));
@@ -158,26 +158,25 @@ public void testBodyParamsAsJsobObjectWithSecret() {
                 .toList();
 
         assertThat(messages).allMatch(msg -> msg.contains("uid2_user") && msg.contains("seattle"));
-        assertThat(messages).noneMatch(msg -> msg.contains(UID2_SECRET_KEY));
-        assertThat(messages).noneMatch(msg -> msg.contains(SECRET));
+        assertThat(messages).noneMatch(msg -> msg.contains(UID_SECRET));
 
         boolean errorLogged = listAppender.list.stream()
-                .anyMatch(event -> event.getLevel() == Level.ERROR && event.getFormattedMessage().contains("Secret found in the audit log: request_body."));
+                .anyMatch(event -> event.getLevel() == Level.ERROR && event.getFormattedMessage().contains(String.format("Secret found in the audit log: request_body.%s.", UID_SECRET_KEY)));
 
         assertThat(errorLogged).isTrue();
     }
 
     @Test
     public void testBodyParamsAsJsobObjectWithSecretNSQL() {
         Mockito.when(mockRequest.method()).thenReturn(HttpMethod.POST);
-        AuditParams params = new AuditParams(null, Arrays.asList("name.first", "location", UID2_SECRET_KEY, SQL_STATEMENT));
+        AuditParams params = new AuditParams(null, Arrays.asList("name.first", "location", UID_SECRET_KEY, "weather"));
 
         RequestBody mockBody = Mockito.mock(RequestBody.class);
         JsonObject json = new JsonObject()
                 .put("name", new JsonObject().put("first", "uid2_user"))
                 .put("location", "seattle")
-                .put(UID2_SECRET_KEY, SECRET)
-                .put(SQL_STATEMENT, "weather");
+                .put(UID_SECRET_KEY, UID_SECRET)
+                .put("weather", SQL_STATEMENT);
 
         Mockito.when(mockCtx.body()).thenReturn(mockBody);
         Mockito.when(mockBody.buffer()).thenReturn(Buffer.buffer(json.toString()));
@@ -189,13 +188,11 @@ public void testBodyParamsAsJsobObjectWithSecretNSQL() {
                 .toList();
 
         assertThat(messages).allMatch(msg -> msg.contains("uid2_user") && msg.contains("seattle"));
-        assertThat(messages).noneMatch(msg -> msg.contains(UID2_SECRET_KEY));
-        assertThat(messages).noneMatch(msg -> msg.contains(SECRET));
+        assertThat(messages).noneMatch(msg -> msg.contains(UID_SECRET));
         assertThat(messages).noneMatch(msg -> msg.contains(SQL_STATEMENT));
-        assertThat(messages).noneMatch(msg -> msg.contains("weather"));
 
         boolean errorLogged = listAppender.list.stream()
-                .anyMatch(event -> event.getLevel() == Level.ERROR && event.getFormattedMessage().contains("Secret found in the audit log: request_body.") && event.getFormattedMessage().contains("SQL injection found in the audit log: request_body."));
+                .anyMatch(event -> event.getLevel() == Level.ERROR && event.getFormattedMessage().contains(String.format("Secret found in the audit log: request_body.%s. ", UID_SECRET_KEY)) && event.getFormattedMessage().contains("SQL injection found in the audit log: request_body.weather. "));
 
         assertThat(errorLogged).isTrue();
     }
@@ -248,13 +245,13 @@ public void testBodyParamsAsJsonArray() {
     @Test
     public void testBodyParamsAsJsonArrayWithSecret() {
         Mockito.when(mockRequest.method()).thenReturn(HttpMethod.POST);
-        AuditParams params = new AuditParams(null, Arrays.asList("partner_id", "config", UID2_SECRET_KEY));
+        AuditParams params = new AuditParams(null, Arrays.asList("partner_id", "config", UID_SECRET_KEY));
 
         RequestBody mockBody = Mockito.mock(RequestBody.class);
         JsonArray json = new JsonArray()
                 .add(new JsonObject().put("partner_id", "1").put("config", "config1"))
                 .add(new JsonObject().put("partner_id", "2").put("config", "config2"))
-                .add(new JsonObject().put(UID2_SECRET_KEY, SECRET).put("config", "config3"));
+                .add(new JsonObject().put(UID_SECRET_KEY, UID_SECRET).put("config", "config3"));
 
         Mockito.when(mockCtx.body()).thenReturn(mockBody);
         Mockito.when(mockBody.buffer()).thenReturn(Buffer.buffer(json.toString()));
@@ -266,25 +263,24 @@ public void testBodyParamsAsJsonArrayWithSecret() {
                 .toList();
 
         assertThat(messages).allMatch(msg -> msg.contains("partner_id") && msg.contains("config"));
-        assertThat(messages).noneMatch(msg -> msg.contains(UID2_SECRET_KEY));
-        assertThat(messages).noneMatch(msg -> msg.contains(SECRET));
+        assertThat(messages).noneMatch(msg -> msg.contains(UID_SECRET));
 
         boolean errorLogged = listAppender.list.stream()
-                .anyMatch(event -> event.getLevel() == Level.ERROR && event.getFormattedMessage().contains("Secret found in the audit log: request_body."));
+                .anyMatch(event -> event.getLevel() == Level.ERROR && event.getFormattedMessage().contains(String.format("Secret found in the audit log: request_body.%s", UID_SECRET_KEY)));
 
         assertThat(errorLogged).isTrue();
     }
 
     @Test
     public void testBodyParamsAsJsonArrayWithSecretNSQL() {
         Mockito.when(mockRequest.method()).thenReturn(HttpMethod.POST);
-        AuditParams params = new AuditParams(null, Arrays.asList("partner_id", "config", UID2_SECRET_KEY, "weather"));
+        AuditParams params = new AuditParams(null, Arrays.asList("partner_id", "config", UID_SECRET_KEY, "weather"));
 
         RequestBody mockBody = Mockito.mock(RequestBody.class);
         JsonArray json = new JsonArray()
                 .add(new JsonObject().put("partner_id", "1").put("config", "config1"))
                 .add(new JsonObject().put("partner_id", "2").put("config", "config2"))
-                .add(new JsonObject().put(UID2_SECRET_KEY, SECRET).put("config", "config3"))
+                .add(new JsonObject().put(UID_SECRET_KEY, UID_SECRET).put("config", "config3"))
                 .add(new JsonObject().put("weather", SQL_STATEMENT).put("config", "config3"));
 
         Mockito.when(mockCtx.body()).thenReturn(mockBody);
@@ -297,13 +293,11 @@ public void testBodyParamsAsJsonArrayWithSecretNSQL() {
                 .toList();
 
         assertThat(messages).allMatch(msg -> msg.contains("partner_id") && msg.contains("config"));
-        assertThat(messages).noneMatch(msg -> msg.contains(UID2_SECRET_KEY));
-        assertThat(messages).noneMatch(msg -> msg.contains(SECRET));
+        assertThat(messages).noneMatch(msg -> msg.contains(UID_SECRET));
         assertThat(messages).noneMatch(msg -> msg.contains(SQL_STATEMENT));
-        assertThat(messages).noneMatch(msg -> msg.contains("weather"));
 
         boolean errorLogged = listAppender.list.stream()
-                .anyMatch(event -> event.getLevel() == Level.ERROR && event.getFormattedMessage().contains("Secret found in the audit log: request_body.") && event.getFormattedMessage().contains("SQL injection found in the audit log: request_body."));
+                .anyMatch(event -> event.getLevel() == Level.ERROR && event.getFormattedMessage().contains(String.format("Secret found in the audit log: request_body.%s.", UID_SECRET_KEY)) && event.getFormattedMessage().contains("SQL injection found in the audit log: request_body.weather. "));
 
         assertThat(errorLogged).isTrue();
     }
@@ -352,10 +346,10 @@ public void testQueryParams() {
     @Test
     public void testQueryParamsContainsSecrets() {
         Mockito.when(mockRequest.method()).thenReturn(HttpMethod.POST);
-        AuditParams params = new AuditParams(Arrays.asList(UID2_SECRET_KEY, "location"), null);
+        AuditParams params = new AuditParams(Arrays.asList(UID_SECRET_KEY, "location"), null);
 
         MultiMap queryParams = MultiMap.caseInsensitiveMultiMap();
-        queryParams.add(UID2_SECRET_KEY, SECRET);
+        queryParams.add(UID_SECRET_KEY, UID_SECRET);
         queryParams.add("location", "seattle");
 
         Mockito.when(mockCtx.request().params()).thenReturn(queryParams);
@@ -366,11 +360,10 @@ public void testQueryParamsContainsSecrets() {
                 .toList();
 
         assertThat(messages).anyMatch(msg -> msg.contains("seattle"));
-        assertThat(messages).noneMatch(msg -> msg.contains(UID2_SECRET_KEY));
-        assertThat(messages).noneMatch(msg -> msg.contains(SECRET));
+        assertThat(messages).noneMatch(msg -> msg.contains(UID_SECRET));
 
         boolean errorLogged = listAppender.list.stream()
-                .anyMatch(event -> event.getLevel() == Level.ERROR && event.getFormattedMessage().contains("Secret found in the audit log: query_params."));
+                .anyMatch(event -> event.getLevel() == Level.ERROR && event.getFormattedMessage().contains(String.format("Secret found in the audit log: query_params.%s. ", UID_SECRET_KEY)));
 
         assertThat(errorLogged).isTrue();
     }
@@ -392,24 +385,23 @@ public void testQueryParamsContainsSQL() {
                 .toList();
 
         assertThat(messages).anyMatch(msg -> msg.contains("seattle"));
-        assertThat(messages).noneMatch(msg -> msg.contains("weather"));
         assertThat(messages).noneMatch(msg -> msg.contains(SQL_STATEMENT));
 
         boolean errorLogged = listAppender.list.stream()
-                .anyMatch(event -> event.getLevel() == Level.ERROR && event.getFormattedMessage().contains("SQL injection found in the audit log: query_params."));
+                .anyMatch(event -> event.getLevel() == Level.ERROR && event.getFormattedMessage().contains("SQL injection found in the audit log: query_params.weather. "));
 
         assertThat(errorLogged).isTrue();
     }
 
     @Test
     public void testQueryParamsContainsSecretNSQL() {
         Mockito.when(mockRequest.method()).thenReturn(HttpMethod.POST);
-        AuditParams params = new AuditParams(Arrays.asList(UID2_SECRET_KEY, "weather", "location"), null);
+        AuditParams params = new AuditParams(Arrays.asList(UID_SECRET_KEY, "weather", "location"), null);
 
         MultiMap queryParams = MultiMap.caseInsensitiveMultiMap();
         queryParams.add("weather", SQL_STATEMENT);
         queryParams.add("location", "seattle");
-        queryParams.add(UID2_SECRET_KEY, SECRET);
+        queryParams.add(UID_SECRET_KEY, UID_SECRET);
 
         Mockito.when(mockCtx.request().params()).thenReturn(queryParams);
         new Audit("admin").log(mockCtx, params);
@@ -419,13 +411,11 @@ public void testQueryParamsContainsSecretNSQL() {
                 .toList();
 
         assertThat(messages).anyMatch(msg -> msg.contains("seattle"));
-        assertThat(messages).noneMatch(msg -> msg.contains("weather"));
         assertThat(messages).noneMatch(msg -> msg.contains(SQL_STATEMENT));
-        assertThat(messages).noneMatch(msg -> msg.contains(UID2_SECRET_KEY));
-        assertThat(messages).noneMatch(msg -> msg.contains(SECRET));
+        assertThat(messages).noneMatch(msg -> msg.contains(UID_SECRET));
 
         boolean errorLogged = listAppender.list.stream()
-                .anyMatch(event -> event.getLevel() == Level.ERROR && event.getFormattedMessage().contains("Secret found in the audit log: query_params.") && event.getFormattedMessage().contains("SQL injection found in the audit log: query_params."));
+                .anyMatch(event -> event.getLevel() == Level.ERROR && event.getFormattedMessage().contains(String.format("Secret found in the audit log: query_params.%s", UID_SECRET_KEY)) && event.getFormattedMessage().contains("SQL injection found in the audit log: query_params.weather. "));
 
         assertThat(errorLogged).isTrue();
     }

Original file line number	Diff line number	Diff line change
`@@ -95,8 +95,8 @@ private boolean validateJsonObjectParams(JsonObject jsonObject, String propertyN`
`95`	`95`	`for (String key : jsonObject.fieldNames()) {`
`96`	`96`	`String val = jsonObject.getString(key);`
`97`	`97`
`98`		`- boolean containsNoSecret = validateNoSecrets(key, propertyName) && validateNoSecrets(val, propertyName);`
`99`		`- boolean containsNoSQL = validateNoSQL(key, propertyName) && validateNoSQL(val, propertyName);`
	`98`	`+ boolean containsNoSecret = validateNoSecrets(val, String.format("%s.%s", propertyName, key));`
	`99`	`+ boolean containsNoSQL = validateNoSQL(val, String.format("%s.%s", propertyName, key));`
`100`	`100`
`101`	`101`	`if (!(containsNoSecret && containsNoSQL)) {`
`102`	`102`	`keysToRemove.add(key);`
`@@ -128,7 +128,7 @@ private boolean validateJsonArrayParams(JsonArray jsonArray, String propertyName`
`128`	`128`	`newJsonArray.add(object);`
`129`	`129`	`}`
`130`	`130`	`} else {`
`131`		`- toJsonValidationErrorMessageBuilder.append("The request body is a JSON array, but one of its elements is not a JSON object.");`
	`131`	`+ toJsonValidationErrorMessageBuilder.append(String.format("The request body is a JSON array, but one of its elements is not a JSON object: %s. ", object.toString()));`
`132`	`132`	`}`
`133`	`133`	`}`
`134`	`134`
`@@ -152,7 +152,7 @@ private String sanitizeRequestBody(String requestBody) {`
`152`	`152`	`JsonArray jsonArray = new JsonArray(mapper.writeValueAsString(root));`
`153`	`153`	`if (validateJsonArrayParams(jsonArray, "request_body")) sanitizedRequestBody = jsonArray.toString();`
`154`	`154`	`} else {`
`155`		`- toJsonValidationErrorMessageBuilder.append("The request body of audit log is not a JSON object or array. ");`
	`155`	`+ toJsonValidationErrorMessageBuilder.append(String.format("The request body of audit log is not a JSON object or array: %s. ", requestBody));`
`156`	`156`	`}`
`157`	`157`	`} catch (Exception e) {`
`158`	`158`	`toJsonValidationErrorMessageBuilder.append("The request body of audit log is Invalid JSON: ").append(e.getMessage());`