This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

MessageLogging and DataMasking

Posted on 04-09-2020 09:12 AM
nicolastisseran
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello,

I figured out that the MessageLogging policy doesn't use the datamasking configuration of Apigee. (here : https://docs.apigee.com/api-platform/security/data-masking)

Thus, it is possible to expose sensitive data, such as password and so on, in distributed logs.
I've successully logged this kind of message :

<Message>This is a test message: body={request.content} / private.password={private.password} / password={password} / access_token={request.header.Authorization}</Message>

The body contains a "password" field. All values are in clear text in the logs, even with the "private." prefix whereas it's masked in the Trace tool.

It works as designed, indeed : "The MaskDataConfiguration is only applied for Trace and Debug session." but IMO it's to consider as an important security leak.

Is there a way to invoke the datamask when logging?

Any plan to implement a such feature in the policy with something like this:

<EnableDatamasking>true(by default)/false</EnableDatamasking>

Regards.

Nicolas.

0 2 261
Topic Labels
0 Likes
Reply
2 REPLIES 2

Posted on --/--/---- --:-- AM
ElangoD
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi Nicolas TISSERAND,

You are correct MaskDataConfiguration apply only to trace, but it's possible to do with the JavaScript

Find the below-attached Code.it will apply masking to any level in JSON, so you don't worry about parsing and it will masking "password" multiple times also.

Steps 1: Include Below code in the Js file and in the flow

Step 2: setVariable which you want to mask as "reqBody"

Step 3: Replace "password" in this line "object.password = "*******";" with "object.<anyKeyNameyou want to mask> = "************";

Step 4: In the message Logging Policy include "dataMaskedBody" not the "request.content"

This data mask will not disturb the request send to the backend.

Hope it helps 🙂

 
var reqBody = context.getVariable("request.content");
 var keyData = ["password"];
 var dataMaskedBody;
 var kyValue;

        var object = JSON.parse(reqBody);
        var result =[];
        var keyDataLength = keyData.length -1;
        for(var ky=0; ky<= keyDataLength;ky++){
            kyValue = keyData[ky];
            customFilter(object,result);
        }

 function customFilter(object,result){
    if(object.hasOwnProperty(kyValue))
    {
        switch(kyValue) {
         case "pin":
             object.password = "*******";
             break;
        default:
             break;
     }
    }
    result.push(object.kyValue);
    for(var i=0; i<Object.keys(object).length; i++){
        if(typeof object[Object.keys(object)[i]] == "object"){
            customFilter(object[Object.keys(object)[i]], result);
        }
    }
 }

  context.setVariable("dataMaskedBody",JSON.stringify(object));
0 Likes
Reply

Posted on --/--/---- --:-- AM
nicolastisseran
Bronze 1
Bronze 1
In response to ElangoD
Reply posted on --/--/---- --:-- AM

Hi @elangosdndev

Thank you for your answer, really appreciated.

Unfortunately, your solution (even if it works) is not fully satifying to me. It is to the developer to do the job. And if he is too lazy, or malicious, then you have a leak. Plus, you have to deal with an heavier apiproxy bundle, with a lot of specific JS to maintain and it could even degrade performances in adding processing latency.

If the MessageLogging was using the DataMasking configuration, that would be fully automatic. Moreover, a malicious developer can not alter the datamask config. Only the org admin can do it. You improve the security.

Anyway, thank you for trying to tackle this feature need.

0 Likes
Reply