chore(middleware-logger): log-filter for schemas

kuhe · kuhe · commit 75c09dd589c8 · 2025-08-08T12:22:41.000-04:00
diff --git a/packages/middleware-logger/package.json b/packages/middleware-logger/package.json
@@ -25,7 +25,9 @@
   "types": "./dist-types/index.d.ts",
   "dependencies": {
     "@aws-sdk/types": "*",
+    "@smithy/core": "^3.8.0",
     "@smithy/types": "^4.3.2",
+    "@smithy/util-middleware": "^4.0.5",
     "tslib": "^2.6.2"
   },
   "devDependencies": {
diff --git a/packages/middleware-logger/src/loggerMiddleware.ts b/packages/middleware-logger/src/loggerMiddleware.ts
@@ -1,13 +1,17 @@
-import {
+import type {
   AbsoluteLocation,
   HandlerExecutionContext,
   InitializeHandler,
   InitializeHandlerArguments,
   InitializeHandlerOptions,
   InitializeHandlerOutput,
   MetadataBearer,
+  OperationSchema,
   Pluggable,
 } from "@smithy/types";
+import { getSmithyContext } from "@smithy/util-middleware";
+
+import { schemaLogFilter } from "./schemaLogFilter";
 
 export const loggerMiddleware =
   () =>
@@ -16,33 +20,42 @@ export const loggerMiddleware =
     context: HandlerExecutionContext
   ): InitializeHandler<any, Output> =>
   async (args: InitializeHandlerArguments<any>): Promise<InitializeHandlerOutput<Output>> => {
+    const { operationSchema } = getSmithyContext(context) as {
+      operationSchema: OperationSchema;
+    };
+
     try {
       const response = await next(args);
-      const { clientName, commandName, logger, dynamoDbDocumentClientOptions = {} } = context;
 
-      const { overrideInputFilterSensitiveLog, overrideOutputFilterSensitiveLog } = dynamoDbDocumentClientOptions;
-      const inputFilterSensitiveLog = overrideInputFilterSensitiveLog ?? context.inputFilterSensitiveLog;
-      const outputFilterSensitiveLog = overrideOutputFilterSensitiveLog ?? context.outputFilterSensitiveLog;
+      const { clientName, commandName, logger } = context;
+
+      const inputLogFilter = operationSchema
+        ? schemaLogFilter.bind(operationSchema.input)
+        : context.inputFilterSensitiveLog;
+      const outputLogFilter = operationSchema
+        ? schemaLogFilter.bind(operationSchema.output)
+        : context.outputFilterSensitiveLog;
 
       const { $metadata, ...outputWithoutMetadata } = response.output;
       logger?.info?.({
         clientName,
         commandName,
-        input: inputFilterSensitiveLog(args.input),
-        output: outputFilterSensitiveLog(outputWithoutMetadata),
+        input: inputLogFilter(args.input),
+        output: outputLogFilter(outputWithoutMetadata),
         metadata: $metadata,
       });
       return response;
     } catch (error) {
-      const { clientName, commandName, logger, dynamoDbDocumentClientOptions = {} } = context;
+      const { clientName, commandName, logger } = context;
 
-      const { overrideInputFilterSensitiveLog } = dynamoDbDocumentClientOptions;
-      const inputFilterSensitiveLog = overrideInputFilterSensitiveLog ?? context.inputFilterSensitiveLog;
+      const inputLogFilter = operationSchema
+        ? schemaLogFilter.bind(operationSchema.input)
+        : context.inputFilterSensitiveLog;
 
       logger?.error?.({
         clientName,
         commandName,
-        input: inputFilterSensitiveLog(args.input),
+        input: inputLogFilter(args.input),
         error,
         metadata: (error as any).$metadata,
       });
diff --git a/packages/middleware-logger/src/schemaLogFilter.ts b/packages/middleware-logger/src/schemaLogFilter.ts
@@ -0,0 +1,46 @@
+import { NormalizedSchema } from "@smithy/core/schema";
+import type { Schema as ISchema } from "@smithy/types";
+
+const SENSITIVE_STRING = "***SensitiveInformation***";
+
+/**
+ * Redacts sensitive parts of any data object using its schema, for logging.
+ *
+ * @internal
+ * @param schema - with filtering traits.
+ * @param data - to be logged.
+ */
+export function schemaLogFilter(schema: ISchema, data: unknown): any {
+  if (data == null) {
+    return data;
+  }
+  const ns = NormalizedSchema.of(schema);
+  if (ns.getMergedTraits().sensitive) {
+    return SENSITIVE_STRING;
+  }
+
+  if (ns.isListSchema()) {
+    const isSensitive = !!ns.getValueSchema().getMergedTraits().sensitive;
+    if (isSensitive) {
+      return SENSITIVE_STRING;
+    }
+  } else if (ns.isMapSchema()) {
+    const isSensitive =
+      !!ns.getKeySchema().getMergedTraits().sensitive || !!ns.getValueSchema().getMergedTraits().sensitive;
+    if (isSensitive) {
+      return SENSITIVE_STRING;
+    }
+  } else if (ns.isStructSchema() && typeof data === "object") {
+    const object = data as Record<string, unknown>;
+
+    const newObject = {} as any;
+    for (const [member, memberNs] of ns.structIterator()) {
+      if (object[member] != null) {
+        newObject[member] = schemaLogFilter(memberNs, object[member]);
+      }
+    }
+    return newObject;
+  }
+
+  return data;
+}
