From ea58d519078916d4cf273628653e348befbaf6c0 Mon Sep 17 00:00:00 2001
From: Francis Lavoie <lavofr@gmail.com>
Date: Wed, 5 Oct 2022 01:21:23 -0400
Subject: logging: Perform filtering on arrays of strings (where possible)
 (#5101)

* logging: Perform filtering on arrays of strings (where possible)

* Add test for ip_mask filter

* Oops, need to continue when it's not an IP

* Test for invalid IPs
---
 modules/logging/filters_test.go | 112 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 110 insertions(+), 2 deletions(-)

(limited to 'modules/logging/filters_test.go')

diff --git a/modules/logging/filters_test.go b/modules/logging/filters_test.go
index 2b087f2..e9c3e77 100644
--- a/modules/logging/filters_test.go
+++ b/modules/logging/filters_test.go
@@ -8,6 +8,81 @@ import (
 	"go.uber.org/zap/zapcore"
 )
 
+func TestIPMaskSingleValue(t *testing.T) {
+	f := IPMaskFilter{IPv4MaskRaw: 16, IPv6MaskRaw: 32}
+	f.Provision(caddy.Context{})
+
+	out := f.Filter(zapcore.Field{String: "255.255.255.255"})
+	if out.String != "255.255.0.0" {
+		t.Fatalf("field has not been filtered: %s", out.String)
+	}
+
+	out = f.Filter(zapcore.Field{String: "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"})
+	if out.String != "ffff:ffff::" {
+		t.Fatalf("field has not been filtered: %s", out.String)
+	}
+
+	out = f.Filter(zapcore.Field{String: "not-an-ip"})
+	if out.String != "not-an-ip" {
+		t.Fatalf("field has been filtered: %s", out.String)
+	}
+}
+
+func TestIPMaskCommaValue(t *testing.T) {
+	f := IPMaskFilter{IPv4MaskRaw: 16, IPv6MaskRaw: 32}
+	f.Provision(caddy.Context{})
+
+	out := f.Filter(zapcore.Field{String: "255.255.255.255, 244.244.244.244"})
+	if out.String != "255.255.0.0, 244.244.0.0" {
+		t.Fatalf("field has not been filtered: %s", out.String)
+	}
+
+	out = f.Filter(zapcore.Field{String: "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, ff00:ffff:ffff:ffff:ffff:ffff:ffff:ffff"})
+	if out.String != "ffff:ffff::, ff00:ffff::" {
+		t.Fatalf("field has not been filtered: %s", out.String)
+	}
+
+	out = f.Filter(zapcore.Field{String: "not-an-ip, 255.255.255.255"})
+	if out.String != "not-an-ip, 255.255.0.0" {
+		t.Fatalf("field has not been filtered: %s", out.String)
+	}
+}
+
+func TestIPMaskMultiValue(t *testing.T) {
+	f := IPMaskFilter{IPv4MaskRaw: 16, IPv6MaskRaw: 32}
+	f.Provision(caddy.Context{})
+
+	out := f.Filter(zapcore.Field{Interface: caddyhttp.LoggableStringArray{
+		"255.255.255.255",
+		"244.244.244.244",
+	}})
+	arr, ok := out.Interface.(caddyhttp.LoggableStringArray)
+	if !ok {
+		t.Fatalf("field is wrong type: %T", out.Integer)
+	}
+	if arr[0] != "255.255.0.0" {
+		t.Fatalf("field entry 0 has not been filtered: %s", arr[0])
+	}
+	if arr[1] != "244.244.0.0" {
+		t.Fatalf("field entry 1 has not been filtered: %s", arr[1])
+	}
+
+	out = f.Filter(zapcore.Field{Interface: caddyhttp.LoggableStringArray{
+		"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff",
+		"ff00:ffff:ffff:ffff:ffff:ffff:ffff:ffff",
+	}})
+	arr, ok = out.Interface.(caddyhttp.LoggableStringArray)
+	if !ok {
+		t.Fatalf("field is wrong type: %T", out.Integer)
+	}
+	if arr[0] != "ffff:ffff::" {
+		t.Fatalf("field entry 0 has not been filtered: %s", arr[0])
+	}
+	if arr[1] != "ff00:ffff::" {
+		t.Fatalf("field entry 1 has not been filtered: %s", arr[1])
+	}
+}
+
 func TestQueryFilter(t *testing.T) {
 	f := QueryFilter{[]queryFilterAction{
 		{replaceAction, "foo", "REDACTED"},
@@ -78,7 +153,7 @@ func TestValidateCookieFilter(t *testing.T) {
 	}
 }
 
-func TestRegexpFilter(t *testing.T) {
+func TestRegexpFilterSingleValue(t *testing.T) {
 	f := RegexpFilter{RawRegexp: `secret`, Value: "REDACTED"}
 	f.Provision(caddy.Context{})
 
@@ -88,7 +163,24 @@ func TestRegexpFilter(t *testing.T) {
 	}
 }
 
-func TestHashFilter(t *testing.T) {
+func TestRegexpFilterMultiValue(t *testing.T) {
+	f := RegexpFilter{RawRegexp: `secret`, Value: "REDACTED"}
+	f.Provision(caddy.Context{})
+
+	out := f.Filter(zapcore.Field{Interface: caddyhttp.LoggableStringArray{"foo-secret-bar", "bar-secret-foo"}})
+	arr, ok := out.Interface.(caddyhttp.LoggableStringArray)
+	if !ok {
+		t.Fatalf("field is wrong type: %T", out.Integer)
+	}
+	if arr[0] != "foo-REDACTED-bar" {
+		t.Fatalf("field entry 0 has not been filtered: %s", arr[0])
+	}
+	if arr[1] != "bar-REDACTED-foo" {
+		t.Fatalf("field entry 1 has not been filtered: %s", arr[1])
+	}
+}
+
+func TestHashFilterSingleValue(t *testing.T) {
 	f := HashFilter{}
 
 	out := f.Filter(zapcore.Field{String: "foo"})
@@ -96,3 +188,19 @@ func TestHashFilter(t *testing.T) {
 		t.Fatalf("field has not been filtered: %s", out.String)
 	}
 }
+
+func TestHashFilterMultiValue(t *testing.T) {
+	f := HashFilter{}
+
+	out := f.Filter(zapcore.Field{Interface: caddyhttp.LoggableStringArray{"foo", "bar"}})
+	arr, ok := out.Interface.(caddyhttp.LoggableStringArray)
+	if !ok {
+		t.Fatalf("field is wrong type: %T", out.Integer)
+	}
+	if arr[0] != "2c26b46b" {
+		t.Fatalf("field entry 0 has not been filtered: %s", arr[0])
+	}
+	if arr[1] != "fcde2b2e" {
+		t.Fatalf("field entry 1 has not been filtered: %s", arr[1])
+	}
+}
-- 
cgit v1.2.3