Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(serializers): avoid implicit sanitization #2081

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

feat(serializers): avoid implicit sanitization #2081

wants to merge 6 commits into from

Conversation

gerardolima
Copy link

When serializers are defined for HTTP Request or HTTP Response, do not run the correspondent stdSerializers before calling the provided serializer functions.

ISSUE #1991

gerardolima
gerardolima commented Nov 9, 2024
View reviewed changes
lib/proto.js Outdated
Comment on lines 201 to 204
} else if (_obj instanceof IncomingMessage) {
obj = { [requestKey]: _obj }
} else if (_obj instanceof ServerResponse) {
obj = { [responseKey]: _obj }
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If preferred, we can assess type from properties, as previously done in lib/tools.js:

  } else if (_obj.method && _obj.headers && _obj.socket) {
    obj = { [requestKey]: _obj }
  } else if (typeof _obj.setHeader === 'function') {
    obj = { [responseKey]: _obj }

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think property presence will be better here. These could be extended objects, e.g. a FastifyRequest.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

gerardolima
gerardolima commented Nov 9, 2024
View reviewed changes
lib/tools.js
Comment on lines +132 to +135
} else if (key === requestKey && serializers.req) {
value = serializers.req(value)
} else if (key === responseKey && serializers.res) {
value = serializers.res(value)
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Behaviour of all stdSerializers follow the same pattern.

pino.d.ts
Comment on lines +411 to +418
/**
* The string key for the 'Request' in the JSON object. Default: "req".
*/
requestKey?: string;
/**
* The string key for the 'Response' in the JSON object. Default: "res".
*/
responseKey?: string;
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The key for request and response are now explicitly configurable. Previously, these had fixed values, set on pino-std-serializers (mapHttpRequest and mapHttpResponse).

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe this change makes the exported functions mapHttpRequest and mapHttpResponse deprecated, in pino-std-serializers?

@gerardolima
feat(serializers): avoid implicit sanitization
651d194 
When serializers are defined for HTTP Request or HTTP Response, do not
run the correspondent `stdSerializers` before calling the provided
serializer functions.

ISSUE pinojs#1991
@gerardolima
test(http): use alternative names to req and res
a3b1681
mcollina
mcollina reviewed Nov 10, 2024
View reviewed changes
test/http.test.js Outdated
@@ -160,34 +154,31 @@ test('http response support', async ({ ok, same, error, teardown }) => {
server.close()
})

test('http response support via a serializer', async ({ ok, same, error, teardown }) => {
test('http response support via a serializer', async ({ match, error }) => {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you please keep the previous test and only add a new one?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Original tests restored. Also fixed linter issues.

@gerardolima
Copy link
Author

ok, I was running isolated tests and only now I noticed there were some assertions on the default serialisers; I am fixing them right now and soon the tests will be fixed; sorry for the silly mistake

@gerardolima
Copy link
Author

hey, @mcollina, are these the changes you expected? is there something that needs improvement or still missing?

mcollina
mcollina approved these changes Nov 22, 2024
View reviewed changes
Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

jsumners
jsumners requested changes Nov 27, 2024
View reviewed changes
Copy link
Member

@jsumners jsumners left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The issue mentioned deprecating the current implementation and switching to the new one in the next major. I don't see this being implemented in this PR. Have I missed it?

lib/proto.js Outdated
Comment on lines 201 to 204
} else if (_obj instanceof IncomingMessage) {
obj = { [requestKey]: _obj }
} else if (_obj instanceof ServerResponse) {
obj = { [responseKey]: _obj }
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think property presence will be better here. These could be extended objects, e.g. a FastifyRequest.

@gerardolima
Copy link
Author

The issue mentioned deprecating the current implementation and switching to the new one in the next major. I don't see this being implemented in this PR. Have I missed it?

This changeset only modifies the following behviour: neither logged Request nor Response objects are not transformed by their corresponding stdSerializers unconditionally, at the start of LOG (lib/tools.js).

This change in behaviour is asserted in test/http.test.js, lines 86 and 240, with tests that create an arbitrary property that should be removed from them, if their standard serializers ran.

@jsumners
Copy link
Member

This changeset only modifies the following behviour: neither logged Request nor Response objects are not transformed by their corresponding stdSerializers unconditionally, at the start of LOG (lib/tools.js).

This change in behaviour is asserted in test/http.test.js, lines 86 and 240, with tests that create an arbitrary property that should be removed from them, if their standard serializers ran.

This is a breaking change, correct?

@gerardolima
Copy link
Author

This is a breaking change, correct?

Yes, this is correct. When custom serializers are provided and they depend on the changes made by the standard serializers on the target objects (ie: to sanitize them?), they will be impacted.

Though running standard serializers when custom serializers are given is not exaclty obvious behaviour -- and I think nor documented --, I understand there might be code in the wild that dependes on it (Hyrum's Law) and publishing this as breaking change should be the safest strategy.

@jsumners
Copy link
Member

Yes, this is correct. When custom serializers are provided and they depend on the changes made by the standard serializers on the target objects (ie: to sanitize them?), they will be impacted.

Then we are missing the deprecation and opt-in for the current version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jsumners jsumners jsumners requested changes

@mcollina mcollina mcollina approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gerardolima @jsumners @mcollina