chore: add known secret prefixes masking

Signed-off-by: nikolay <[email protected]>

packages/config-service/src/services/loggerService.ts

@@ -28,14 +28,27 @@ export class LoggerService {
     GlobalConfig.ENTRIES.GH_ACCESS_TOKEN.envName,
   ];
 
+  public static readonly KNOWN_SECRET_PREFIXES = [
+    'ghp', // GitHub personal access tokens
+    'gho', // OAuth access tokens
+    'ghu', // GitHub user-to-server tokens
+    'ghs', // GitHub server-to-server tokens
+    'ghr', // refresh tokens
+  ];
+
   /**
    * Hide sensitive information
    *
    * @param envName
    * @param envValue
    */
   static maskUpEnv(envName: string, envValue: string | undefined): string {
-    if (this.SENSITIVE_FIELDS.indexOf(envName) > -1) {
+    const isSensitiveField: boolean = this.SENSITIVE_FIELDS.indexOf(envName) > -1;
+    const isKnownSecret: boolean =
+      GlobalConfig.ENTRIES[envName].type === 'string' &&
+      this.KNOWN_SECRET_PREFIXES.indexOf(envValue ? envValue.slice(0, 3) : '') > -1;
+
+    if (isSensitiveField || isKnownSecret) {
       return `${envName} = **********`;
     }
 

packages/config-service/tests/src/services/loggerService.spec.ts

@@ -36,6 +36,16 @@ describe('LoggerService tests', async function () {
     }
   });
 
+  it('should be able to mask every value if it starts with known secret prefix', async () => {
+    const { envName } = GlobalConfig.ENTRIES.HBAR_SPENDING_PLANS_CONFIG_FILE;
+
+    for (const prefix of LoggerService.KNOWN_SECRET_PREFIXES) {
+      const value = prefix + crypto.randomBytes(16).toString('hex');
+      const res = LoggerService.maskUpEnv(envName, value);
+      expect(res).to.equal(`${envName} = **********`);
+    }
+  });
+
   it('should be able to return plain information', async () => {
     const envName = GlobalConfig.ENTRIES.CHAIN_ID.envName;
     const res = ConfigService.get(envName);