Fix log sanitizer loading and cleanup

Author: gildesmarais

app/web/request/request_context_middleware.rb

@@ -3,6 +3,7 @@
 require 'rack/request'
 require 'securerandom'
 require 'time'
+require_relative '../security/log_sanitizer'
 
 module Html2rss
   module Web

app/web/telemetry/log_sanitizer.rb app/web/security/log_sanitizer.rbapp/web/telemetry/log_sanitizer.rb renamed to app/web/security/log_sanitizer.rb

@@ -1,22 +1,26 @@
 # frozen_string_literal: true
 
 require 'digest'
-require 'uri'
+require 'html2rss/url'
 
 module Html2rss
   module Web
     ##
-    # Sanitizes request and detail payloads before structured logging.
+    # Sanitizes request paths and log payloads before they are emitted.
     module LogSanitizer
-      FEED_TOKEN_ROUTE = %r{\A(/api/v1/feeds/)([^/.?]+)(\.(?:json|xml|rss))?\z}
+      FEED_TOKEN_ROUTE = %r{\A(/api/v1/feeds/)([^/?]+)\z}
 
       class << self
         # @param path [String, nil]
         # @return [String, nil]
         def sanitize_path(path)
           return if path.nil?
 
-          path.to_s.gsub(FEED_TOKEN_ROUTE, '\1[REDACTED]\3')
+          path_string = path.to_s
+          suffix = feed_suffix(path_string)
+          token_path = suffix ? path_string.delete_suffix(suffix) : path_string
+
+          token_path.gsub(FEED_TOKEN_ROUTE, "\\1[REDACTED]#{suffix}")
         end
 
         # @param details [Hash]
@@ -29,6 +33,16 @@ def sanitize_details(details)
 
         private
 
+        # @param path [String]
+        # @return [String, nil]
+        def feed_suffix(path)
+          return '.json' if path.end_with?('.json')
+          return '.xml' if path.end_with?('.xml')
+          return '.rss' if path.end_with?('.rss')
+
+          nil
+        end
+
         # @param key [Object]
         # @param value [Object]
         # @return [Object]
@@ -46,13 +60,13 @@ def sanitize_url(value)
           url = value.to_s
           return value if url.empty?
 
-          uri = URI.parse(url)
+          normalized_url = Html2rss::Url.for_channel(url)
           {
-            host: uri.host,
-            scheme: uri.scheme,
+            host: normalized_url.host,
+            scheme: normalized_url.scheme,
             hash: Digest::SHA256.hexdigest(url)[0..11]
           }.compact
-        rescue URI::InvalidURIError
+        rescue StandardError
           { hash: Digest::SHA256.hexdigest(url)[0..11] }
         end
       end

app/web/security/security_logger.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require 'json'
 require 'digest'
 require 'time'
 module Html2rss

app/web/telemetry/app_logger.rb

@@ -3,7 +3,6 @@
 require 'json'
 require 'logger'
 require 'time'
-require 'uri'
 
 module Html2rss
   module Web

spec/html2rss/web/log_sanitizer_spec.rb

@@ -7,7 +7,7 @@
 require_relative '../../../app/web/security/security_logger'
 require_relative '../../../app/web/telemetry/app_logger'
 require_relative '../../../app/web/telemetry/log_event'
-require_relative '../../../app/web/telemetry/log_sanitizer'
+require_relative '../../../app/web/security/log_sanitizer'
 require_relative '../../../app/web/telemetry/observability'
 
 RSpec.describe Html2rss::Web::LogSanitizer do
@@ -36,9 +36,12 @@
     Html2rss::Web::RequestContext.clear!
   end
 
-  it 'redacts feed tokens from token feed request paths' do
+  it 'redacts feed tokens from token feed request paths', :aggregate_failures do
     expect(described_class.sanitize_path('/api/v1/feeds/token-value-123')).to eq('/api/v1/feeds/[REDACTED]')
     expect(described_class.sanitize_path('/api/v1/feeds/token-value-123.json')).to eq('/api/v1/feeds/[REDACTED].json')
+    expect(
+      described_class.sanitize_path('/api/v1/feeds/eyJwIjoiYS5iLmMifQ==.xml')
+    ).to eq('/api/v1/feeds/[REDACTED].xml')
   end
 
   it 'replaces logged urls with hashed host metadata' do
@@ -51,6 +54,12 @@
     expect(described_class.sanitize_details(url: 'https://news.ycombinator.com')).to eq(url: expected_url)
   end
 
+  it 'falls back to a hash for malformed urls' do
+    expect(described_class.sanitize_details(url: '://bad url')).to eq(
+      url: { hash: Digest::SHA256.hexdigest('://bad url')[0..11] }
+    )
+  end
+
   it 'sanitizes security logger token usage fields' do
     Html2rss::Web::SecurityLogger.log_token_usage('very-secret-token', 'https://news.ycombinator.com', true)
     payload = JSON.parse(io.string.lines.last, symbolize_names: true)

spec/html2rss/web/request_context_middleware_spec.rb

@@ -4,6 +4,7 @@
 require 'rack/mock'
 
 require_relative '../../../app/web/request/request_context'
+require_relative '../../../app/web/security/log_sanitizer'
 require_relative '../../../app/web/request/request_context_middleware'
 
 RSpec.describe Html2rss::Web::RequestContextMiddleware do