Desktop,Mobile,Cli: Resolves #9706: Don't log OneDrive Authorization tokens (#9707)

.eslintignore

@@ -740,6 +740,7 @@ packages/lib/models/utils/userData.test.js
 packages/lib/models/utils/userData.js
 packages/lib/net-utils.js
 packages/lib/ntp.js
+packages/lib/onedrive-api.test.js
 packages/lib/onedrive-api.js
 packages/lib/path-utils.js
 packages/lib/reducer.js

.gitignore

@@ -720,6 +720,7 @@ packages/lib/models/utils/userData.test.js
 packages/lib/models/utils/userData.js
 packages/lib/net-utils.js
 packages/lib/ntp.js
+packages/lib/onedrive-api.test.js
 packages/lib/onedrive-api.js
 packages/lib/path-utils.js
 packages/lib/reducer.js

packages/lib/onedrive-api.test.ts

@@ -0,0 +1,19 @@
+import OneDriveApi from './onedrive-api';
+
+describe('onedrive-api', () => {
+	test.each([
+		[{ Authorization: 'testing' }, { Authorization: '[[DELETED]]' }],
+		[{ headers: { Authorization: 'testing' } }, { headers: { Authorization: '[[DELETED]]' } }],
+		[
+			{ foo: { Authorization: 'testing', bar: 'test' }, baz: 'test2', Authorization: 'testing' },
+			{ foo: { Authorization: '[[DELETED]]', bar: 'test' }, baz: 'test2', Authorization: '[[DELETED]]' },
+		],
+		[
+			{ a: { b: { c: { d: { e: { f: { g: 'Test' } } } }, Authorization: 'bearer someidhere' } } },
+			{ a: { b: { c: { d: { e: { f: '[[depth-exceeded]]' } } }, Authorization: '[[DELETED]]' } } },
+		],
+	])('authorizationTokenRemoved should remove Authorization field', (object, expected) => {
+		const api = new OneDriveApi('testID', 'secret', true);
+		expect(api.authorizationTokenRemoved(object)).toMatchObject(expected);
+	});
+});

packages/lib/onedrive-api.ts

@@ -228,6 +228,34 @@ export default class OneDriveApi {
 		}
 	}
 
+	// Takes an object in the form
+	//   { headers: { Authorization: "token here" } }
+	// or
+	//   { Authorization: "token here" }
+	// Intended to be used for before logging objects that could potentially have an
+	// Authorization token.
+	public authorizationTokenRemoved(data: any, depth = 0) {
+		const newData: any = {};
+
+		if (!data || typeof data !== 'object') {
+			return data;
+		}
+
+		if (depth > 5) {
+			return '[[depth-exceeded]]';
+		}
+
+		for (const key in data) {
+			if (key === 'Authorization') {
+				newData[key] = '[[DELETED]]';
+			} else {
+				newData[key] = this.authorizationTokenRemoved(data[key], depth + 1);
+			}
+		}
+
+		return newData;
+	}
+
 	public async exec(method: string, path: string, query: any = null, data: any = null, options: any = null) {
 		if (!path) throw new Error('Path is required');
 
@@ -363,7 +391,13 @@ export default class OneDriveApi {
 					// Deleting a non-existing item is ok - noop
 					return;
 				} else {
-					error.request = `${method} ${url} ${JSON.stringify(query)} ${JSON.stringify(data)} ${JSON.stringify(options)}`;
+					error.request = [
+						method,
+						url,
+						JSON.stringify(query),
+						JSON.stringify(this.authorizationTokenRemoved(data)),
+						JSON.stringify(this.authorizationTokenRemoved(options)),
+					].join(' ');
 					error.headers = await response.headers;
 					throw error;
 				}