fix: prevent sensitive data leakage in error logs (#5948)

MatissJanis · web-flow · commit 97482a082d50 · 2025-10-18T16:33:27.000+02:00
diff --git a/packages/sync-server/src/app-gocardless/app-gocardless.js b/packages/sync-server/src/app-gocardless/app-gocardless.js
@@ -1,5 +1,4 @@
 import path from 'path';
-import { inspect } from 'util';
 
 import { isAxiosError } from 'axios';
 import express from 'express';
@@ -244,7 +243,7 @@ app.post(
           });
           break;
         case error instanceof GenericGoCardlessError:
-          console.log('Something went wrong', inspect(error, { depth: null }));
+          console.log('Something went wrong', error.message);
           sendErrorResponse({
             error_type: 'SYNC_ERROR',
             error_code: 'NORDIGEN_ERROR',
@@ -253,15 +252,16 @@ app.post(
         case isAxiosError(error):
           console.log(
             'Something went wrong',
-            inspect(error.response?.data || error, { depth: null }),
+            error.message,
+            error.response?.data?.summary || error.response?.data?.detail || '',
           );
           sendErrorResponse({
             error_type: 'SYNC_ERROR',
             error_code: 'NORDIGEN_ERROR',
           });
           break;
         default:
-          console.log('Something went wrong', inspect(error, { depth: null }));
+          console.log('Something went wrong', error.message || String(error));
           sendErrorResponse({
             error_type: 'UNKNOWN',
             error_code: 'UNKNOWN',
diff --git a/packages/sync-server/src/app-gocardless/banks/integration-bank.js b/packages/sync-server/src/app-gocardless/banks/integration-bank.js
@@ -22,11 +22,6 @@ export default {
   institutionIds: ['IntegrationBank'],
 
   normalizeAccount(account) {
-    console.debug(
-      'Available account properties for new institution integration',
-      { account: JSON.stringify(account) },
-    );
-
     return {
       account_id: account.id,
       institution: account.institution,
@@ -80,24 +75,10 @@ export default {
   },
 
   sortTransactions(transactions = []) {
-    console.debug(
-      'Available (first 10) transactions properties for new integration of institution in sortTransactions function',
-      { top10Transactions: JSON.stringify(transactions.slice(0, 10)) },
-    );
     return sortByBookingDateOrValueDate(transactions);
   },
 
   calculateStartingBalance(sortedTransactions = [], balances = []) {
-    console.debug(
-      'Available (first 10) transactions properties for new integration of institution in calculateStartingBalance function',
-      {
-        balances: JSON.stringify(balances),
-        top10SortedTransactions: JSON.stringify(
-          sortedTransactions.slice(0, 10),
-        ),
-      },
-    );
-
     const currentBalance = balances
       .filter(item => SORTED_BALANCE_TYPE_LIST.includes(item.balanceType))
       .sort(
diff --git a/packages/sync-server/src/app-gocardless/banks/tests/integration_bank.spec.js b/packages/sync-server/src/app-gocardless/banks/tests/integration_bank.spec.js
@@ -5,12 +5,6 @@ import {
 import IntegrationBank from '../integration-bank.js';
 
 describe('IntegrationBank', () => {
-  let consoleSpy;
-
-  beforeEach(() => {
-    consoleSpy = vi.spyOn(console, 'debug');
-  });
-
   describe('normalizeAccount', () => {
     const account = mockExtendAccountsAboutInstitutions[0];
 
@@ -42,16 +36,6 @@ describe('IntegrationBank', () => {
         type: 'checking',
       });
     });
-
-    it('normalizeAccount logs available account properties', () => {
-      IntegrationBank.normalizeAccount(account);
-      expect(consoleSpy).toHaveBeenCalledWith(
-        'Available account properties for new institution integration',
-        {
-          account: JSON.stringify(account),
-        },
-      );
-    });
   });
 
   describe('sortTransactions', () => {
@@ -72,35 +56,26 @@ describe('IntegrationBank', () => {
         transactionAmount: { amount: '100', currency: 'EUR' },
       },
     ];
-    const sortedTransactions = [
-      {
-        date: '2022-01-03',
-        bookingDate: '2022-01-03',
-        transactionAmount: { amount: '100', currency: 'EUR' },
-      },
-      {
-        date: '2022-01-02',
-        bookingDate: '2022-01-02',
-        transactionAmount: { amount: '100', currency: 'EUR' },
-      },
-      {
-        date: '2022-01-01',
-        bookingDate: '2022-01-01',
-        transactionAmount: { amount: '100', currency: 'EUR' },
-      },
-    ];
 
     it('should return transactions sorted by bookingDate', () => {
       const sortedTransactions = IntegrationBank.sortTransactions(transactions);
-      expect(sortedTransactions).toEqual(sortedTransactions);
-    });
-
-    it('sortTransactions logs available transactions properties', () => {
-      IntegrationBank.sortTransactions(transactions);
-      expect(consoleSpy).toHaveBeenCalledWith(
-        'Available (first 10) transactions properties for new integration of institution in sortTransactions function',
-        { top10Transactions: JSON.stringify(sortedTransactions.slice(0, 10)) },
-      );
+      expect(sortedTransactions).toEqual([
+        {
+          date: '2022-01-03',
+          bookingDate: '2022-01-03',
+          transactionAmount: { amount: '100', currency: 'EUR' },
+        },
+        {
+          date: '2022-01-02',
+          bookingDate: '2022-01-02',
+          transactionAmount: { amount: '100', currency: 'EUR' },
+        },
+        {
+          date: '2022-01-01',
+          bookingDate: '2022-01-01',
+          transactionAmount: { amount: '100', currency: 'EUR' },
+        },
+      ]);
     });
   });
 
@@ -141,16 +116,5 @@ describe('IntegrationBank', () => {
       );
       expect(startingBalance).toEqual(70000);
     });
-
-    it('logs available transactions and balances properties', () => {
-      IntegrationBank.calculateStartingBalance(transactions, balances);
-      expect(consoleSpy).toHaveBeenCalledWith(
-        'Available (first 10) transactions properties for new integration of institution in calculateStartingBalance function',
-        {
-          balances: JSON.stringify(balances),
-          top10SortedTransactions: JSON.stringify(transactions.slice(0, 10)),
-        },
-      );
-    });
   });
 });
diff --git a/packages/sync-server/src/app-gocardless/util/handle-error.js b/packages/sync-server/src/app-gocardless/util/handle-error.js
@@ -1,9 +1,7 @@
-import { inspect } from 'util';
-
 export function handleError(func) {
   return (req, res) => {
     func(req, res).catch(err => {
-      console.log('Error', req.originalUrl, inspect(err, { depth: null }));
+      console.log('Error', req.originalUrl, err.message || String(err));
       res.send({
         status: 'ok',
         data: {
diff --git a/packages/sync-server/src/app-simplefin/app-simplefin.js b/packages/sync-server/src/app-simplefin/app-simplefin.js
@@ -294,7 +294,7 @@ function parseAccessKey(accessKey) {
   let password = null;
   let baseUrl = null;
   if (!accessKey || !accessKey.match(/^.*\/\/.*:.*@.*$/)) {
-    console.log(`Invalid SimpleFIN access key: ${accessKey}`);
+    console.log('Invalid SimpleFIN access key');
     throw new Error(`Invalid access key`);
   }
   [scheme, rest] = accessKey.split('//');
diff --git a/upcoming-release-notes/5948.md b/upcoming-release-notes/5948.md
@@ -0,0 +1,6 @@
+---
+category: Enhancements
+authors: [MatissJanis]
+---
+
+Remove sensitive data logging from sync-server

Original file line number	Diff line number	Diff line change
`@@ -294,7 +294,7 @@ function parseAccessKey(accessKey) {`
`294`	`294`	`let password = null;`
`295`	`295`	`let baseUrl = null;`
`296`	`296`	`if (!accessKey \|\| !accessKey.match(/^.\/\/.:.@.$/)) {`
`297`		- console.log(`Invalid SimpleFIN access key: ${accessKey}`);
	`297`	`+ console.log('Invalid SimpleFIN access key');`
`298`	`298`	throw new Error(`Invalid access key`);
`299`	`299`	`}`
`300`	`300`	`[scheme, rest] = accessKey.split('//');`