fix(audit): ScadaBridge C2 review — over-redact scrubs all sensitive free-text fields + outer-catch never-leak test + marker alignment

I1 (security): OverRedact() in ScadaBridgeAuditRedactor now suppresses ErrorDetail, ErrorMessage, and Extra (in addition to RequestSummary/ResponseSummary) to the over-redacted marker in BOTH code paths (Deserialize+with path and the fallback new-AuditDetails path). SafeDefaultAuditRedactor catch block aligned to match. M3 (test): OuterCatch_OptionsThrows_NeverLeaks_AllSensitiveFieldsOverRedacted forces the outer try/catch → OverRedact path via a ThrowingMonitor that throws from CurrentValue (the first statement in the try block). Asserts (a) Apply does not throw, and (b) all five sensitive free-text fields are suppressed to the over-redacted marker with PayloadTruncated=true. M1 (consistency): SafeDefaultAuditRedactor now uses AuditRedactionPrimitives constants (RedactedMarker for line-format header values, OverRedactedEventMarker for the catch block), eliminating the divergent [REDACTED]/[redacted by ...] strings. AuditRedactionPrimitives gains OverRedactedEventMarker = RedactorErrorMarker. SafeDefaultAuditRedactorTests updated from [REDACTED] → <redacted>. M2 (comment): Added one-line note in TruncateField explaining why the char-count (result.Length != value.Length) truncation check is sufficient given TruncateUtf8 only ever shortens.
2026-06-02 11:12:18 -04:00
parent adfb4d385c
commit 5aaf9e2923
5 changed files with 109 additions and 16 deletions
@@ -2,6 +2,7 @@ using System.Text.RegularExpressions;
 using ZB.MOM.WW.Audit;
 using ZB.MOM.WW.ScadaBridge.AuditLog.Payload;
 using ZB.MOM.WW.ScadaBridge.Commons.Types.Audit;
+using static ZB.MOM.WW.ScadaBridge.AuditLog.Payload.AuditRedactionPrimitives;

 namespace ZB.MOM.WW.ScadaBridge.AuditLog.Redaction;

@@ -60,12 +61,18 @@ public sealed class SafeDefaultAuditRedactor : IAuditRedactor
        }
        catch
        {
-            // Over-redact: drop both summaries entirely so a malformed parse
-            // path never leaks the original. The contract is "never throw."
+            // Over-redact: suppress ALL sensitive free-text fields so a failure
+            // on any internal path never leaks the original. The contract is
+            // "never throw." Uses the shared OverRedactedEventMarker so all
+            // redactor safety-nets emit the same sentinel string.
            var safe = new AuditDetails
            {
-                RequestSummary = "[redacted by SafeDefaultAuditRedactor]",
-                ResponseSummary = "[redacted by SafeDefaultAuditRedactor]",
+                RequestSummary = OverRedactedEventMarker,
+                ResponseSummary = OverRedactedEventMarker,
+                ErrorDetail = OverRedactedEventMarker,
+                ErrorMessage = OverRedactedEventMarker,
+                Extra = OverRedactedEventMarker,
+                PayloadTruncated = true,
            };
            return rawEvent with { DetailsJson = AuditDetailsCodec.Serialize(safe) };
        }
@@ -82,7 +89,9 @@ public sealed class SafeDefaultAuditRedactor : IAuditRedactor
            {
                if (string.Equals(name, sensitive, StringComparison.OrdinalIgnoreCase))
                {
-                    return $"{name}: [REDACTED]";
+                    // Use the shared RedactedMarker so line-format and JSON-format
+                    // header redaction emit the same sentinel string.
+                    return $"{name}: {RedactedMarker}";
                }
            }
            return m.Value;