fix(audit): ScadaBridge C2 review — over-redact scrubs all sensitive free-text fields + outer-catch never-leak test + marker alignment

I1 (security): OverRedact() in ScadaBridgeAuditRedactor now suppresses ErrorDetail, ErrorMessage, and Extra (in addition to RequestSummary/ResponseSummary) to the over-redacted marker in BOTH code paths (Deserialize+with path and the fallback new-AuditDetails path). SafeDefaultAuditRedactor catch block aligned to match. M3 (test): OuterCatch_OptionsThrows_NeverLeaks_AllSensitiveFieldsOverRedacted forces the outer try/catch → OverRedact path via a ThrowingMonitor that throws from CurrentValue (the first statement in the try block). Asserts (a) Apply does not throw, and (b) all five sensitive free-text fields are suppressed to the over-redacted marker with PayloadTruncated=true. M1 (consistency): SafeDefaultAuditRedactor now uses AuditRedactionPrimitives constants (RedactedMarker for line-format header values, OverRedactedEventMarker for the catch block), eliminating the divergent [REDACTED]/[redacted by ...] strings. AuditRedactionPrimitives gains OverRedactedEventMarker = RedactorErrorMarker. SafeDefaultAuditRedactorTests updated from [REDACTED] → <redacted>. M2 (comment): Added one-line note in TruncateField explaining why the char-count (result.Length != value.Length) truncation check is sufficient given TruncateUtf8 only ever shortens.
2026-06-02 11:12:18 -04:00
parent adfb4d385c
commit 5aaf9e2923
5 changed files with 109 additions and 16 deletions
@@ -47,14 +47,14 @@ namespace ZB.MOM.WW.ScadaBridge.AuditLog.Redaction;
 /// </list>
 /// </para>
 /// <para>
-/// MUST NOT throw — wrapped in try/catch; over-redacts (drops the summaries to a
-/// safe marker) on any internal failure, mirroring
+/// MUST NOT throw — wrapped in try/catch; over-redacts (drops ALL sensitive free-text
+/// fields to a safe marker) on any internal failure, mirroring
 /// <see cref="SafeDefaultAuditPayloadFilter"/>.
 /// </para>
 /// </remarks>
 public sealed class ScadaBridgeAuditRedactor : IAuditRedactor
 {
-    private const string OverRedactedMarker = "[redacted by ScadaBridgeAuditRedactor]";
+    private const string OverRedactedMarker = AuditRedactionPrimitives.OverRedactedEventMarker;

    private readonly IOptionsMonitor<AuditLogOptions> _options;
    private readonly ILogger<ScadaBridgeAuditRedactor> _logger;
@@ -307,11 +307,13 @@ public sealed class ScadaBridgeAuditRedactor : IAuditRedactor
    }

    /// <summary>
-    /// Over-redaction copy returned from the never-throws catch: drop the
-    /// request/response summaries inside <c>DetailsJson</c> to a safe marker and
-    /// flag <see cref="AuditDetails.PayloadTruncated"/>. Best-effort re-serialise;
-    /// if even that fails, return the input with no summaries via an empty
-    /// details bag.
+    /// Over-redaction copy returned from the never-throws catch: suppress ALL
+    /// potentially-sensitive string fields inside <c>DetailsJson</c> to a safe
+    /// marker and flag <see cref="AuditDetails.PayloadTruncated"/>. "All sensitive
+    /// fields" = <c>RequestSummary</c>, <c>ResponseSummary</c>, <c>ErrorDetail</c>,
+    /// <c>ErrorMessage</c>, and <c>Extra</c> — all body-regex redaction targets
+    /// that can carry sensitive values. Best-effort re-serialise; if even that
+    /// fails, return the input with no sensitive fields via a minimal details bag.
    /// </summary>
    private static AuditEvent OverRedact(AuditEvent rawEvent)
    {
@@ -321,6 +323,9 @@ public sealed class ScadaBridgeAuditRedactor : IAuditRedactor
            {
                RequestSummary = OverRedactedMarker,
                ResponseSummary = OverRedactedMarker,
+                ErrorDetail = OverRedactedMarker,
+                ErrorMessage = OverRedactedMarker,
+                Extra = OverRedactedMarker,
                PayloadTruncated = true,
            };
            return rawEvent with { DetailsJson = AuditDetailsCodec.Serialize(d) };
@@ -331,6 +336,9 @@ public sealed class ScadaBridgeAuditRedactor : IAuditRedactor
            {
                RequestSummary = OverRedactedMarker,
                ResponseSummary = OverRedactedMarker,
+                ErrorDetail = OverRedactedMarker,
+                ErrorMessage = OverRedactedMarker,
+                Extra = OverRedactedMarker,
                PayloadTruncated = true,
            };
            return rawEvent with { DetailsJson = AuditDetailsCodec.Serialize(safe) };