tcdl / json-masker Goto Github PK

Problem

Despite json-masker library is pretty good with masking sensitive data in general case, it masks too much in some situations. For example, we have to hide sensitive data in an array of patch instructions.
Thus,

[

{"op": "replace", "path": "customer/customerIdentity/firstName", "value": "the_new_customer_name"},

{"op": "replace", "path": "customer/customerIdentifier/sourceMarket", "value": "GB"}

]

will be transformed to something like:

[
    {"op": "xxxxxxx", "path": "xxxxxxxxxx/xxxxxxx/xxxXxx", "value": "XxxxxxxXxxx*"},
    {"op": "xxxxxxx", "path": "xxxxxxxxxx/xxxxxxx/xxxXxxx", "value": "XxxxxxxXxxx*"}
]

We are 100% sure that "op" and "path" fields never contain sensitive info, but the values of those fields could be useful for debug purpose. The solution might be whitelisting of exact fields.

Possible solutions

1. by array of keys
   For example, we can say that ['op', 'path'] values should never be masked no matter where we find these keys in json structure. This solution is the simplest but as a drawback, there is a chance to unmask something that we didn't want to. However, from my point of view, the probability of such problem is very low.
2. by exact keys (full path in json)
   This is the most secure variant, but it also has a drawback. It could be hard to cover the case from the problem description as it is not clear, how to deal with arrays.
3. by regexp
   This is the most flexible solution, but we still can accidentally unmask something unwanted. Moreover, it could cause the performance issue which is bad for lightweight logging related library.
4. mix of all previous
   Could contain all the problems from all solutions and have a too complex configuration.

I propose to start with the first variant, at least to begin with. @shumsky what do you think?

Is there any way to allow blacklisting instead of whitelisting, so we will mention the fields name to be masked and remaining fields will not be masked.