fix(redaction): consolidate redaction utils, apply them to inputs and outputs before persisting logs (#2478)

* fix(redaction): consolidate redaction utils, apply them to inputs and outputs before persisting logs

* added testing utils

Author: waleedlatif1

apps/sim/app/api/auth/sso/register/route.ts

@@ -2,6 +2,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { auth } from '@/lib/auth'
 import { env } from '@/lib/core/config/env'
+import { REDACTED_MARKER } from '@/lib/core/security/redaction'
 import { createLogger } from '@/lib/logs/console/logger'
 
 const logger = createLogger('SSO-Register')
@@ -236,13 +237,13 @@ export async function POST(request: NextRequest) {
           oidcConfig: providerConfig.oidcConfig
             ? {
                 ...providerConfig.oidcConfig,
-                clientSecret: '[REDACTED]',
+                clientSecret: REDACTED_MARKER,
               }
             : undefined,
           samlConfig: providerConfig.samlConfig
             ? {
                 ...providerConfig.samlConfig,
-                cert: '[REDACTED]',
+                cert: REDACTED_MARKER,
               }
             : undefined,
         },

apps/sim/app/api/tools/stagehand/agent/route.ts

@@ -1,6 +1,7 @@
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { env } from '@/lib/core/config/env'
+import { isSensitiveKey, REDACTED_MARKER } from '@/lib/core/security/redaction'
 import { createLogger } from '@/lib/logs/console/logger'
 import { ensureZodObject, normalizeUrl } from '@/app/api/tools/stagehand/utils'
 
@@ -188,7 +189,7 @@ export async function POST(request: NextRequest) {
 
       if (variablesObject && Object.keys(variablesObject).length > 0) {
         const safeVarKeys = Object.keys(variablesObject).map((key) => {
-          return key.toLowerCase().includes('password') ? `${key}: [REDACTED]` : key
+          return isSensitiveKey(key) ? `${key}: ${REDACTED_MARKER}` : key
         })
         logger.info('Variables available for task', { variables: safeVarKeys })
       }

apps/sim/instrumentation-client.ts

@@ -3,6 +3,7 @@
  */
 
 import { env } from './lib/core/config/env'
+import { sanitizeEventData } from './lib/core/security/redaction'
 
 if (typeof window !== 'undefined') {
   const TELEMETRY_STATUS_KEY = 'simstudio-telemetry-status'
@@ -41,37 +42,6 @@ if (typeof window !== 'undefined') {
     }
   }
 
-  /**
-   * Sanitize event data to remove sensitive information
-   */
-  function sanitizeEvent(event: any): any {
-    const patterns = ['password', 'token', 'secret', 'key', 'auth', 'credential', 'private']
-    const sensitiveRe = new RegExp(patterns.join('|'), 'i')
-
-    const scrubString = (s: string) => (s && sensitiveRe.test(s) ? '[redacted]' : s)
-
-    if (event == null) return event
-    if (typeof event === 'string') return scrubString(event)
-    if (typeof event !== 'object') return event
-
-    if (Array.isArray(event)) {
-      return event.map((item) => sanitizeEvent(item))
-    }
-
-    const sanitized: Record<string, unknown> = {}
-    for (const [key, value] of Object.entries(event)) {
-      const lowerKey = key.toLowerCase()
-      if (patterns.some((p) => lowerKey.includes(p))) continue
-
-      if (typeof value === 'string') sanitized[key] = scrubString(value)
-      else if (Array.isArray(value)) sanitized[key] = value.map((v) => sanitizeEvent(v))
-      else if (value && typeof value === 'object') sanitized[key] = sanitizeEvent(value)
-      else sanitized[key] = value
-    }
-
-    return sanitized
-  }
-
   /**
    * Flush batch of events to server
    */
@@ -84,7 +54,7 @@ if (typeof window !== 'undefined') {
       batchTimer = null
     }
 
-    const sanitizedBatch = batch.map(sanitizeEvent)
+    const sanitizedBatch = batch.map(sanitizeEventData)
 
     const payload = JSON.stringify({
       category: 'batch',

apps/sim/lib/core/security/input-validation.test.ts

@@ -1,7 +1,6 @@
 import { describe, expect, it } from 'vitest'
 import {
   createPinnedUrl,
-  sanitizeForLogging,
   validateAlphanumericId,
   validateEnum,
   validateFileExtension,
@@ -11,6 +10,7 @@ import {
   validateUrlWithDNS,
   validateUUID,
 } from '@/lib/core/security/input-validation'
+import { sanitizeForLogging } from '@/lib/core/security/redaction'
 
 describe('validatePathSegment', () => {
   describe('valid inputs', () => {

apps/sim/lib/core/security/input-validation.ts

@@ -556,29 +556,6 @@ export function validateFileExtension(
   return { isValid: true, sanitized: normalizedExt }
 }
 
-/**
- * Sanitizes a string for safe logging (removes potential sensitive data patterns)
- *
- * @param value - The value to sanitize
- * @param maxLength - Maximum length to return (default: 100)
- * @returns Sanitized string safe for logging
- */
-export function sanitizeForLogging(value: string, maxLength = 100): string {
-  if (!value) return ''
-
-  // Truncate long values
-  let sanitized = value.substring(0, maxLength)
-
-  // Mask common sensitive patterns
-  sanitized = sanitized
-    .replace(/Bearer\s+[A-Za-z0-9\-._~+/]+=*/gi, 'Bearer [REDACTED]')
-    .replace(/password['":\s]*['"]\w+['"]/gi, 'password: "[REDACTED]"')
-    .replace(/token['":\s]*['"]\w+['"]/gi, 'token: "[REDACTED]"')
-    .replace(/api[_-]?key['":\s]*['"]\w+['"]/gi, 'api_key: "[REDACTED]"')
-
-  return sanitized
-}
-
 /**
  * Validates Microsoft Graph API resource IDs
  *