chore: introduce jsmasker to mask sensitive debug logging data.

app/routes.js

@@ -6,7 +6,8 @@ const express = require("express")
 const router = express.Router()
 const handleConnection = require("./connectionHandler")
 const basicAuth = require("basic-auth")
-const { sanitizeObject, validateSshTerm } = require("./utils")
+const { validateSshTerm } = require("./utils")
+const maskObject = require('jsmasker');
 const validator = require("validator")
 
 function auth(req, res, next) {
@@ -63,7 +64,7 @@ router.get("/host/:host", auth, function (req, res) {
   req.session.usedBasicAuth = true 
 
   // Sanitize and log the sshCredentials object
-  const sanitizedCredentials = sanitizeObject(
+  const sanitizedCredentials = maskObject(
     JSON.parse(JSON.stringify(req.session.sshCredentials))
   )
   debug("/ssh/host/ Credentials: ", sanitizedCredentials)

app/socket.js

@@ -2,11 +2,12 @@
 // app/socket.js
 "use strict"
 
-var createDebug = require("debug")
+const createDebug = require("debug")
-var debug = createDebug("webssh2:socket")
+const debug = createDebug("webssh2:socket")
-var SSHConnection = require("./ssh")
+const SSHConnection = require("./ssh")
-var { sanitizeObject, validateSshTerm } = require("./utils")
+const { validateSshTerm } = require("./utils")
-var validator = require("validator")
+const maskObject = require('jsmasker');
+const validator = require("validator")
 
 module.exports = function (io, config) {
   io.on("connection", function (socket) {
@@ -30,7 +31,7 @@ module.exports = function (io, config) {
      * @param {Object} config - The configuration object.
      */
     function handleAuthenticate(creds) {
-      debug("handleAuthenticate: " + socket.id + ", %O", sanitizeObject(creds))
+      debug("handleAuthenticate: " + socket.id + ", %O", maskObject(creds))
 
       if (isValidCredentials(creds)) {
         sessionState.term = validateSshTerm(creds.term)
@@ -65,7 +66,7 @@ module.exports = function (io, config) {
           ", INITIALIZING SSH CONNECTION: Host: " +
           creds.host +
           ", creds: %O",
-        sanitizeObject(creds)
+        maskObject(creds)
       )
 
       ssh
@@ -392,7 +393,7 @@ module.exports = function (io, config) {
           ", Host: " +
           creds.host +
           ": HTTP Basic Credentials Exist, creds: %O",
-        sanitizeObject(creds)
+        maskObject(creds)
       )
       handleAuthenticate(creds)
     } else if (!sessionState.authenticated) {

app/ssh.js

@@ -5,7 +5,7 @@
 const createDebug = require("debug")
 const debug = createDebug("webssh2:ssh")
 const SSH = require("ssh2").Client
-const { sanitizeObject } = require("./utils")
+const maskObject = require('jsmasker');
 
 function SSHConnection(config) {
   this.config = config
@@ -16,7 +16,7 @@ function SSHConnection(config) {
 SSHConnection.prototype.connect = function(creds) {
   var self = this
   return new Promise(function(resolve, reject) {
-    debug("connect: %O", sanitizeObject(creds))
+    debug("connect: %O", maskObject(creds))
 
     if (self.conn) {
       self.conn.end()

app/utils.js

@@ -4,38 +4,6 @@ const validator = require("validator")
 const createDebug = require("debug")
 const debug = createDebug("webssh2:utils")
 
-/**
- * Sanitizes an object by replacing sensitive properties with asterisks.
- * @param {Object} obj - The object to sanitize.
- * @param {Array} [properties=['password', 'key', 'secret', 'token']] - The list of properties to sanitize.
- * @returns {Object} - The sanitized object.
- */
-function sanitizeObject(
-  obj,
-  properties = ["password", "key", "secret", "token"]
-) {
-  if (obj && typeof obj === "object") {
-    const copy = Array.isArray(obj) ? [] : Object.assign({}, obj)
-
-    for (const key in obj) {
-      if (obj.hasOwnProperty(key)) {
-        // eslint-disable-line no-prototype-builtins
-        if (properties.includes(key) && typeof obj[key] === "string") {
-          copy[key] = "*".repeat(obj[key].length)
-        } else if (typeof obj[key] === "object") {
-          copy[key] = sanitizeObject(obj[key], properties)
-        } else {
-          copy[key] = obj[key]
-        }
-      }
-    }
-
-    return copy
-  }
-
-  return obj
-}
-
 /**
  * Validates the SSH terminal name using validator functions.
  * Allows alphanumeric characters, hyphens, and periods.
@@ -54,5 +22,4 @@ function validateSshTerm(term) {
   )
 }
 
-exports.sanitizeObject = sanitizeObject
 exports.validateSshTerm = validateSshTerm

package.json

@@ -39,6 +39,7 @@
     "express": "^4.14.1",
     "express-session": "^1.18.0",
     "express-socket.io-session": "^1.3.5",
+    "jsmasker": "^1.1.2",
     "read-config-ng": "~3.0.7",
     "socket.io": "~2.2.0",
     "ssh2": "~0.8.9",