mirror of
https://github.com/balena-os/balena-supervisor.git
synced 2025-01-18 02:40:03 +00:00
Add whitelist-based filtering to mixpanel events
When sending events to mixpanel, we now use an explicit whitelist for the properties sent with the event, to avoid accidental leakage of any sensitive information. Change-Type: patch Signed-off-by: Pablo Carranza Velez <pablo@resin.io>
This commit is contained in:
parent
34d37814c9
commit
20d95ff024
@ -34,6 +34,7 @@
|
||||
"docker-toolbelt": "^3.0.3",
|
||||
"event-stream": "^3.0.20",
|
||||
"express": "^4.0.0",
|
||||
"json-mask": "^0.3.8",
|
||||
"knex": "~0.12.3",
|
||||
"lockfile": "^1.0.1",
|
||||
"lodash": "^4.16.3",
|
||||
@ -58,4 +59,4 @@
|
||||
"versionist": "^2.8.0",
|
||||
"webpack": "^3.0.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -14,6 +14,7 @@ TypedError = require 'typed-error'
|
||||
execAsync = Promise.promisify(require('child_process').exec)
|
||||
device = require './device'
|
||||
{ checkTruthy } = require './lib/validation'
|
||||
mask = require 'json-mask'
|
||||
|
||||
exports.supervisorVersion = require('./lib/supervisor-version')
|
||||
|
||||
@ -26,6 +27,15 @@ else
|
||||
exports.mixpanelProperties = mixpanelProperties =
|
||||
username: configJson.username
|
||||
|
||||
mixpanelMask = [
|
||||
'appId'
|
||||
'delay'
|
||||
'error'
|
||||
'interval'
|
||||
'app(appId,imageId,commit,name)'
|
||||
'stateDiff(status,download_progress,commit,os_version,superisor_version,ip_address)'
|
||||
].join(',')
|
||||
|
||||
exports.mixpanelTrack = (event, properties = {}) ->
|
||||
# Allow passing in an error directly and having it assigned to the error property.
|
||||
if properties instanceof Error
|
||||
@ -40,16 +50,8 @@ exports.mixpanelTrack = (event, properties = {}) ->
|
||||
|
||||
properties = _.cloneDeep(properties)
|
||||
|
||||
# Don't log private env vars (e.g. api keys)
|
||||
if properties?.app?.env?
|
||||
try
|
||||
{ env } = properties.app
|
||||
env = JSON.parse(env) if _.isString(env)
|
||||
safeEnv = _.omit(env, config.privateAppEnvVars)
|
||||
properties.app.env = JSON.stringify(safeEnv)
|
||||
catch
|
||||
properties.app.env = 'Fully hidden due to error in selective hiding'
|
||||
|
||||
# Filter properties to only send the whitelisted keys and values
|
||||
properties = mask(properties, mixpanelMask)
|
||||
console.log('Event:', event, JSON.stringify(properties))
|
||||
# Mutation is bad, and it should feel bad
|
||||
properties = _.assign(properties, mixpanelProperties)
|
||||
|
Loading…
Reference in New Issue
Block a user