dohertj2/ScadaBridge
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(audit): ScadaBridge C2 review — over-redact scrubs all sensitive free-text fields + outer-catch never-leak test + marker alignment

Browse Source 
I1 (security): OverRedact() in ScadaBridgeAuditRedactor now suppresses ErrorDetail,
ErrorMessage, and Extra (in addition to RequestSummary/ResponseSummary) to the
over-redacted marker in BOTH code paths (Deserialize+with path and the fallback
new-AuditDetails path). SafeDefaultAuditRedactor catch block aligned to match.

M3 (test): OuterCatch_OptionsThrows_NeverLeaks_AllSensitiveFieldsOverRedacted forces
the outer try/catch → OverRedact path via a ThrowingMonitor that throws from
CurrentValue (the first statement in the try block). Asserts (a) Apply does not
throw, and (b) all five sensitive free-text fields are suppressed to the
over-redacted marker with PayloadTruncated=true.

M1 (consistency): SafeDefaultAuditRedactor now uses AuditRedactionPrimitives
constants (RedactedMarker for line-format header values, OverRedactedEventMarker
for the catch block), eliminating the divergent [REDACTED]/[redacted by ...]
strings. AuditRedactionPrimitives gains OverRedactedEventMarker = RedactorErrorMarker.
SafeDefaultAuditRedactorTests updated from [REDACTED] → <redacted>.

M2 (comment): Added one-line note in TruncateField explaining why the char-count
(result.Length != value.Length) truncation check is sufficient given TruncateUtf8
only ever shortens.
This commit is contained in:
Joseph Doherty
2026-06-02 11:12:18 -04:00
parent adfb4d385c
commit 5aaf9e2923
5 changed files with 109 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/ZB.MOM.WW.ScadaBridge.AuditLog.Tests/Redaction/SafeDefaultAuditRedactorTests.cs
+3 -3
View File
@@ -43,7 +43,7 @@ public class SafeDefaultAuditRedactorTests
var result = SafeDefaultAuditRedactor.Instance.Apply(evt);
var d = Details(result);
Assert.Contains("Authorization: [REDACTED]", d.RequestSummary!);
Assert.Contains("Authorization: <redacted>", d.RequestSummary!);
Assert.DoesNotContain("secret-token", d.RequestSummary!);
Assert.Contains("Content-Type: application/json", d.RequestSummary!);
}
@@ -56,7 +56,7 @@ public class SafeDefaultAuditRedactorTests
var result = SafeDefaultAuditRedactor.Instance.Apply(evt);
var d = Details(result);
Assert.Contains("Set-Cookie: [REDACTED]", d.ResponseSummary!);
Assert.Contains("Set-Cookie: <redacted>", d.ResponseSummary!);
Assert.DoesNotContain("abc123", d.ResponseSummary!);
Assert.Contains("X-Other: ok", d.ResponseSummary!);
}
@@ -68,7 +68,7 @@ public class SafeDefaultAuditRedactorTests
var result = SafeDefaultAuditRedactor.Instance.Apply(evt);
Assert.Contains("[REDACTED]", Details(result).RequestSummary!);
Assert.Contains("<redacted>", Details(result).RequestSummary!);
Assert.DoesNotContain("x-y-z", Details(result).RequestSummary!);
}
tests/ZB.MOM.WW.ScadaBridge.AuditLog.Tests/Redaction/ScadaBridgeAuditRedactorTests.cs
+65
View File
@@ -520,6 +520,58 @@ public class ScadaBridgeAuditRedactorTests
Assert.Null(ex);
}
[Fact]
public void OuterCatch_OptionsThrows_NeverLeaks_AllSensitiveFieldsOverRedacted()
{
// Force the outer try/catch → OverRedact path by injecting an
// IOptionsMonitor whose CurrentValue getter throws. This is the FIRST
// statement in the try block, so the exception escapes before any
// redaction work has run — the input event could still carry live
// sensitive values in all five free-text fields.
//
// The never-leak contract requires ALL of RequestSummary, ResponseSummary,
// ErrorDetail, ErrorMessage, and Extra to be suppressed to the
// over-redacted marker, and PayloadTruncated to be true.
var sensitiveEvent = NewEvent(
request: "SENSITIVE-REQUEST-DATA",
response: "SENSITIVE-RESPONSE-DATA",
errorDetail: "SENSITIVE-ERROR-DETAIL",
extra: "SENSITIVE-EXTRA-DATA");
// Manually inject ErrorMessage into DetailsJson (NewEvent does not expose it).
var withMsg = sensitiveEvent with
{
DetailsJson = AuditDetailsCodec.Serialize(
AuditDetailsCodec.Deserialize(sensitiveEvent.DetailsJson) with
{
ErrorMessage = "SENSITIVE-ERROR-MESSAGE",
}),
};
var redactor = new ScadaBridgeAuditRedactor(
new ThrowingMonitor(),
Microsoft.Extensions.Logging.Abstractions.NullLogger<ScadaBridgeAuditRedactor>.Instance);
// (a) Apply must not throw even when options access itself throws.
var ex = Record.Exception(() => redactor.Apply(withMsg));
Assert.Null(ex);
// (b) Returned event must have ALL sensitive free-text fields suppressed
// (never-leak guarantee), and PayloadTruncated must be true.
var result = redactor.Apply(withMsg);
var d = Details(result);
const string marker = "<redacted: redactor error>";
Assert.Equal(marker, d.RequestSummary);
Assert.Equal(marker, d.ResponseSummary);
Assert.Equal(marker, d.ErrorDetail);
Assert.Equal(marker, d.ErrorMessage);
Assert.Equal(marker, d.Extra);
Assert.True(d.PayloadTruncated);
// Confirm no raw sensitive values survive anywhere in DetailsJson.
Assert.DoesNotContain("SENSITIVE", result.DetailsJson ?? "");
}
/// <summary>Counts <see cref="IAuditRedactionFailureCounter.Increment"/> calls.</summary>
private sealed class CountingRedactionFailureCounter : IAuditRedactionFailureCounter
{
@@ -537,4 +589,17 @@ public class ScadaBridgeAuditRedactorTests
public AuditLogOptions Get(string? name) => _value;
public IDisposable? OnChange(Action<AuditLogOptions, string?> listener) => null;
}
/// <summary>
/// IOptionsMonitor test double that throws from <see cref="CurrentValue"/> to
/// force the outer try/catch → OverRedact path in
/// <see cref="ScadaBridgeAuditRedactor.Apply"/>.
/// </summary>
private sealed class ThrowingMonitor : IOptionsMonitor<AuditLogOptions>
{
public AuditLogOptions CurrentValue =>
throw new InvalidOperationException("Simulated options fault for outer-catch test");
public AuditLogOptions Get(string? name) => new AuditLogOptions();
public IDisposable? OnChange(Action<AuditLogOptions, string?> listener) => null;
}
}