Redact sensitive headers in populateServerData (DATA-12974)#32
Open
pragyash258 wants to merge 8 commits into
Open
Redact sensitive headers in populateServerData (DATA-12974)#32pragyash258 wants to merge 8 commits into
pragyash258 wants to merge 8 commits into
Conversation
Weekly npm and github-actions ecosystem updates with grouped minor/patch PRs.
…, DATA-12979, DATA-12992) Add header denylist for Authorization/Cookie/Set-Cookie/X-Api-Key/X-Auth-Token/Proxy-Authorization/WWW-Authenticate before serialising request headers into the log payload. extendSensitiveHeaders() lets a host extend the denylist without forking. UUID v1-v5 allowlist on x-chitragupta-log-id at populateServerData; non-UUID inputs are dropped, not propagated.
Block __proto__/constructor/prototype keys at the public setMetaData API. Reserved identity keys (userId/request/etc) intentionally remain writable — host apps legitimately call setMetaData('userId', ...) at request time. Re-exports extendSensitiveHeaders from util.js.
Patch bump for security hardening (header redaction, log-id allowlist, proto guard). Adds engines.node >= 14.0.0 to formalise the runtime floor required for the only consumer (ip-protection on Node 18).
ip-protection (the only Node consumer) runs Node 18.18.0 per its Dockerfile. The previous .nvmrc claim of 10.3.0 was a stale floor that did not match any actual deployment.
Narrowing PR scope to only the operational fix (header denylist). The UUID allowlist on x-chitragupta-log-id closed DATA-12979/12992/13005, but on audit those tickets are not operational hazards — the JSON pipeline already absorbs CRLF inside string values, and Kibana renders log.id as text not HTML, so the downstream XSS leg cannot fire in our deployment. DATA-12979/12992/13005 are reclassified WONT-FIX in /data/chitragupta-security-audit-2026-05-21/INDEX.md (revision 2).
Narrowing PR scope. The PROTO_POLLUTION_KEYS guard closed DATA-12990 but
the underlying ticket is library-trust-contract — verifier itself admits
Confidence -10 ('depends on host misuse'), and our only Node consumer
(ip-protection/utils/middleware.js:119) passes the literal string 'userId'
to setMetaData. There is no operational hazard. DATA-12990 reclassified
WONT-FIX in /data/chitragupta-security-audit-2026-05-21/INDEX.md
(revision 2). Re-export of extendSensitiveHeaders remains because it is
part of the DATA-12974 header-denylist feature this PR ships.
Narrowing PR scope. dependabot.yml closed DATA-12994 but the underlying ticket is process hygiene, not an operational hazard. The chitragupta-node repo is a sleepy library; manual `npm audit` cadence at release-tag time is accepted. DATA-12994 reclassified WONT-FIX in /data/chitragupta-security-audit-2026-05-21/INDEX.md (revision 2).
pragyash258
changed the title
pragyash258
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes DATA-12974 —
populateServerDatainlib/chitragupta/util.jswas runningJSON.stringify(request.headers)with no denylist, so every request throughsetupServerLoggerwas writing Authorization, Cookie, Set-Cookie, X-Api-Key, X-Auth-Token, Proxy-Authorization, and WWW-Authenticate headers into log records in cleartext. Any operator with Kibana access could see Bearer tokens and session cookies. This is the one operational security vulnerability the scan turned up that has a real path in our deployment.Code changes
lib/chitragupta/util.jsDEFAULT_SENSITIVE_HEADERSdenylist (case-insensitive match on the 7 header names above) and aredactHeaders(headers)helper that replaces matched values with[REDACTED]before the JSON serialisation. ExportextendSensitiveHeaders([...])so a host app can extend the denylist without forking.lib/chitragupta/chitragupta.jsextendSensitiveHeadersfrom util.js (part of the same feature).package.jsonengines: { node: ">=14.0.0" }to match the only consumer's runtime floor..nvmrcThat's the full scope. No other features, no API-shape changes, no behaviour change for non-redacted headers.
Downstream-safety verification
a11y-engine/ip-protectionis the only Node consumer of chitragupta-node. It uses three Chitragupta APIs (all keep identical surface and semantics after this PR):Chitragupta.setupServerLoggerapp.js:179[REDACTED].Chitragupta.jsonLogFormatterutils/logger.js:41Chitragupta.setMetaData('userId', req.userId)utils/middleware.js:119'userId'key, no policy change.Elasticsearch check (
chitraguptaes-use-cluster-001, 7-day window): zero saved Kibana searches / dashboards / visualizations / lenses reference any of the 7 sensitive header names; zero documents currently havedata.data.request.headerspopulated with these values. The change has no observable blast radius on existing query consumers.Workspace grep also confirms ip-protection reads
req.headers.authorizationfrom the live HTTP request (utils/middleware.js:63,157,228) for auth processing — this PR does not touchreq.headers, so the auth flow is unaffected.Tickets explicitly NOT in scope of this PR
The other 35 tickets in the DATA-12973 → DATA-13008 range have all been classified as WONT-FIX or DUPLICATE after applying a strict "real operational security vulnerability" lens. They fall into:
'userId'; verifier itself flagsConfidence -10: depends on host misuseon the strongest of these.)contents: read+ zero secrets, etc.)Per-ticket close-out comments are in
/Users/pragyashpratimbarman/data/chitragupta-security-audit-2026-05-21/DATA-*.mdunder each file's## Final close-out commentsection, ready to copy into the Jira/Slack reply.Test plan
v1.7.6on master.a11y-engine/ip-protection/package.jsonto pin chitragupta togit+https://github.com/browserstack/chitragupta-node.git#v1.7.6andnpm install chitragupta.[REDACTED]in the indexed log records.Chitragupta.extendSensitiveHeaders([...])extension API in the gem README.🤖 Generated with Claude Code