since v9.12, censor behaviour changed #2313
Description
before v9.12, the censor function was only called when the exact path was found, now, if the path points to a nested key, it is always called if the parent key exists.
is this expected?
import type { LoggerOptions } from 'pino';
import * as pino from 'pino';
const accessTokenRegex = /access_token=[a-zA-Z0-9_-]*/g;
const bearerTokenRegex = /\s+(\S+)$/;
const logParams: LoggerOptions = {
redact: {
paths: ['a.b.c', 'req.authorization', 'url'],
censor(value, path) {
console.log({ value, path });
if (typeof value !== 'string') {
return '***';
}
if (path[0] === 'url') {
return value.replace(accessTokenRegex, 'access_token=***');
}
if (path.length === 2 && path[0] === 'req' && path[1] === 'authorization') {
return value.replace(bearerTokenRegex, ' ***');
}
return '***';
}
}
};
const logger = pino(logParams);
logger.info('test message'); // <- censor not called
logger.info({ req: { authorization: 'bearer do-not-show-me' } }, 'test message'); // <- censor called for 'req.authorization'
logger.info({ url: '/protected?access_token=do-not-show-me'}, 'test message'); // <- censor called for 'url'
logger.info({ url: '/protected?access_token=do-not-show-me', req: { authorization: 'bearer do-not-show-me' } }, 'test message'); // <- censor called for 'req.authorization' and 'url'
logger.info({ req: { id: 'test' } }, 'test message'); // <- censor not called <9.12, called >=9.12 for 'req.authorization'
logger.info({ a: { d: 'test' } } , 'test message'); // <- censor not called <9.12, called >=9.12 for 'a.b.c'
logger.info({ a: { c: 'should-not-show-me' }, req: { id: 'test' } } , 'test message'); // <- censor not called <9.12, called >=9.12 for 'a.b.c' and 'req.authorization'