Bridge/Gateway: Redact passwords in command logs/prompts (#430)

cli/assets/views/gateway_executor.html

@@ -38,6 +38,19 @@
         document.getElementById('click-btn').innerText = isEnabled ? 'Confirm and scan HaLo' : 'Waiting for command...';
       }
 
+      function redactCommandObj(originalObject) {
+          // ensure deep copy
+          let obj = JSON.parse(JSON.stringify(originalObject));
+
+          for (const key of Object.keys(obj)) {
+              if (key.toLowerCase().includes("password")) {
+                  obj[key] = "<< REDACTED >>";
+              }
+          }
+
+          return obj;
+      }
+
       toggleConfirmBtn(false);
 
       async function confirmButtonClicked(ev) {
@@ -60,7 +73,7 @@
             // callback when a new command arrives
             log(
               "Requested to execute the following command:\n" +
-                JSON.stringify(command, null, 4)
+                JSON.stringify(redactCommandObj(command), null, 4)
             );
             toggleConfirmBtn(true);
           });

cli/src.ts/util.ts

@@ -1,5 +1,5 @@
-import { fileURLToPath } from 'node:url';
-import { dirname as path_dirname, join as path_join } from 'node:path';
+import {fileURLToPath} from 'node:url';
+import {dirname as path_dirname, join as path_join} from 'node:path';
 import crypto from "crypto";
 import fs from "fs";
 import path from "path";
@@ -9,6 +9,23 @@ function randomBuffer() {
     return Buffer.from(crypto.getRandomValues(new Uint8Array(32)));
 }
 
+function redactLogObject(originalObject: Record<string, unknown>) {
+    // ensure deep copy
+    const obj = JSON.parse(JSON.stringify(originalObject));
+
+    if (Object.prototype.hasOwnProperty.call(obj, "command")) {
+        const cmdObj = obj["command"] as Record<string, unknown>;
+
+        for (const key of Object.keys(cmdObj)) {
+            if (key.toLowerCase().includes("password")) {
+                obj["command"][key] = "<< REDACTED >>"
+            }
+        }
+    }
+
+    return obj
+}
+
 function saveLog(log: Record<string, string | string[]>) {
     const now = new Date();
     const month = now.getMonth() + 1;
@@ -63,4 +80,13 @@ if (process.pkg && process.pkg.entrypoint) {
     dirname = path_join(path_dirname(filename), '..');
 }
 
-export {dirname, randomBuffer, saveLog, getSimConfigPath, simConfigExists, getSimConfig, saveSimConfig};
+export {
+    dirname,
+    randomBuffer,
+    saveLog,
+    getSimConfigPath,
+    simConfigExists,
+    getSimConfig,
+    saveSimConfig,
+    redactLogObject
+};

cli/src.ts/ws_server.ts

@@ -8,7 +8,7 @@ import path from "path";
 import os from "os";
 import util from "util";
 
-import {dirname, randomBuffer} from "./util.js";
+import {dirname, randomBuffer, redactLogObject} from "./util.js";
 import {getBuildInfo} from "./version.js";
 
 import {execHaloCmdPCSC} from "@arx-research/libhalo/api/desktop";
@@ -320,7 +320,8 @@ function wsCreateServer(args: Namespace, getReaderNames: () => string[]) {
             }
 
             const packet = JSON.parse(data.toString('utf-8'));
-            console.log('recv', util.inspect(packet, {showHidden: false, depth: null, colors: true}));
+            const packetToPrint = redactLogObject(packet);
+            console.log('recv', util.inspect(packetToPrint, {showHidden: false, depth: null, colors: true}));
 
             if (packet.type === "exec_halo") {
                 try {