Redact sensitive feed data from logs

Author: gildesmarais

app/web/boot/setup.rb

@@ -13,6 +13,7 @@ class << self
           def call!
             validate_environment!
             configure_request_service!
+            configure_runtime_logging!
           end
 
           private
@@ -28,6 +29,13 @@ def validate_environment!
           def configure_request_service!
             nil
           end
+
+          # @return [void]
+          def configure_runtime_logging!
+            return unless defined?(Rack::Timeout::Logger)
+
+            Rack::Timeout::Logger.logger = AppLogger.logger
+          end
         end
       end
     end

app/web/request/request_context_middleware.rb

@@ -57,7 +57,7 @@ def build_context(request)
         path = request.path_info.to_s
         RequestContext::Context.new(
           request_id: request_id_for(request),
-          path: path,
+          path: LogSanitizer.sanitize_path(path),
           http_method: request.request_method.to_s.upcase,
           route_group: route_group_for(path),
           actor: nil,

app/web/security/security_logger.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require 'logger'
 require 'json'
 require 'digest'
 require 'time'
@@ -135,16 +134,7 @@ def log_cache_lifecycle(component, event, details = {})
         private
 
         def create_logger
-          Logger.new($stdout).tap do |log|
-            log.formatter = proc do |severity, datetime, _progname, msg|
-              "#{{
-                timestamp: datetime.iso8601,
-                level: severity,
-                service: 'html2rss-web',
-                **JSON.parse(msg, symbolize_names: true)
-              }.to_json}\n"
-            end
-          end
+          AppLogger.logger
         end
 
         ##
@@ -156,7 +146,7 @@ def log_event(event_type, data, severity: :warn)
           payload = {
             security_event: event_type,
             **context_data,
-            **data
+            **LogSanitizer.sanitize_details(data)
           }.to_json
 
           logger.public_send(severity, payload)

app/web/telemetry/app_logger.rb

@@ -0,0 +1,92 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'logger'
+require 'time'
+require 'uri'
+
+module Html2rss
+  module Web
+    ##
+    # Shared structured logger for application and middleware runtime events.
+    module AppLogger
+      class << self
+        # @return [Logger]
+        def logger
+          Thread.current[:app_logger] ||= build_logger
+        end
+
+        # @return [void]
+        def reset_logger!
+          Thread.current[:app_logger] = nil
+        end
+
+        private
+
+        # @return [Logger]
+        def build_logger
+          Logger.new($stdout).tap do |log|
+            log.formatter = method(:format_entry)
+          end
+        end
+
+        # @param severity [String]
+        # @param datetime [Time]
+        # @param _progname [String, nil]
+        # @param message [String]
+        # @return [String]
+        def format_entry(severity, datetime, _progname, message)
+          "#{base_payload(severity, datetime).merge(normalize_message(message)).to_json}\n"
+        end
+
+        # @param severity [String]
+        # @param datetime [Time]
+        # @return [Hash{Symbol=>Object}]
+        def base_payload(severity, datetime)
+          {
+            timestamp: datetime.iso8601,
+            level: severity,
+            service: 'html2rss-web'
+          }
+        end
+
+        # @param message [Object]
+        # @return [Hash{Symbol=>Object}]
+        def normalize_message(message)
+          parsed_json(message) || parse_logfmt(message.to_s) || { message: message.to_s }
+        end
+
+        # @param message [Object]
+        # @return [Hash{Symbol=>Object}, nil]
+        def parsed_json(message)
+          JSON.parse(message.to_s, symbolize_names: true)
+        rescue JSON::ParserError, TypeError
+          nil
+        end
+
+        # @param message [String]
+        # @return [Hash{Symbol=>Object}, nil]
+        def parse_logfmt(message)
+          pairs = message.scan(/([a-zA-Z0-9_.-]+)=("[^"]*"|\S+)/)
+          return nil if pairs.empty?
+
+          pairs.to_h do |key, raw_value|
+            [key.to_sym, normalize_logfmt_value(raw_value)]
+          end
+        end
+
+        # @param raw_value [String]
+        # @return [String, Integer, Float, TrueClass, FalseClass]
+        def normalize_logfmt_value(raw_value)
+          value = raw_value.delete_prefix('"').delete_suffix('"')
+          return true if value == 'true'
+          return false if value == 'false'
+          return value.to_i if value.match?(/\A-?\d+\z/)
+          return value.to_f if value.match?(/\A-?\d+\.\d+\z/)
+
+          value
+        end
+      end
+    end
+  end
+end

app/web/telemetry/log_sanitizer.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+require 'digest'
+require 'uri'
+
+module Html2rss
+  module Web
+    ##
+    # Sanitizes request and detail payloads before structured logging.
+    module LogSanitizer
+      FEED_TOKEN_ROUTE = %r{\A(/api/v1/feeds/)([^/.?]+)(\.(?:json|xml|rss))?\z}
+
+      class << self
+        # @param path [String, nil]
+        # @return [String, nil]
+        def sanitize_path(path)
+          return if path.nil?
+
+          path.to_s.gsub(FEED_TOKEN_ROUTE, '\1[REDACTED]\3')
+        end
+
+        # @param details [Hash]
+        # @return [Hash]
+        def sanitize_details(details)
+          details.each_with_object({}) do |(key, value), sanitized|
+            sanitized[key] = sanitize_value(key, value)
+          end
+        end
+
+        private
+
+        # @param key [Object]
+        # @param value [Object]
+        # @return [Object]
+        def sanitize_value(key, value)
+          return sanitize_url(value) if key.to_sym == :url
+          return sanitize_details(value) if value.is_a?(Hash)
+          return value.map { |entry| sanitize_value(key, entry) } if value.is_a?(Array)
+
+          value
+        end
+
+        # @param value [Object]
+        # @return [Hash{Symbol=>Object}, Object]
+        def sanitize_url(value)
+          url = value.to_s
+          return value if url.empty?
+
+          uri = URI.parse(url)
+          {
+            host: uri.host,
+            scheme: uri.scheme,
+            hash: Digest::SHA256.hexdigest(url)[0..11]
+          }.compact
+        rescue URI::InvalidURIError
+          { hash: Digest::SHA256.hexdigest(url)[0..11] }
+        end
+      end
+    end
+  end
+end

app/web/telemetry/observability.rb

@@ -1,9 +1,5 @@
 # frozen_string_literal: true
 
-require 'json'
-require 'logger'
-require 'time'
-
 module Html2rss
   module Web
     ##
@@ -27,16 +23,7 @@ def emit(event_name:, outcome:, details: {}, level: :info)
 
         # @return [Logger]
         def logger
-          Thread.current[:observability_logger] ||= Logger.new($stdout).tap do |log|
-            log.formatter = proc do |severity, datetime, _progname, msg|
-              "#{{
-                timestamp: datetime.iso8601,
-                level: severity,
-                service: 'html2rss-web',
-                **JSON.parse(msg, symbolize_names: true)
-              }.to_json}\n"
-            end
-          end
+          AppLogger.logger
         end
 
         # @param error [StandardError]
@@ -54,7 +41,7 @@ def handle_emit_error(error, event_name, outcome)
         # @return [Hash{Symbol=>Object}]
         def build_payload(event_name, outcome, details)
           context = RequestContext.current_h
-          base_payload(event_name, outcome, context).merge(details: details)
+          base_payload(event_name, outcome, context).merge(details: LogSanitizer.sanitize_details(details))
         end
 
         # @param event_name [String]

spec/html2rss/web/log_sanitizer_spec.rb

@@ -0,0 +1,98 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'stringio'
+
+require_relative '../../../app/web/request/request_context'
+require_relative '../../../app/web/security/security_logger'
+require_relative '../../../app/web/telemetry/app_logger'
+require_relative '../../../app/web/telemetry/log_sanitizer'
+require_relative '../../../app/web/telemetry/observability'
+
+RSpec.describe Html2rss::Web::LogSanitizer do
+  let(:io) { StringIO.new }
+  let(:logger) { Logger.new(io).tap { |log| log.formatter = Html2rss::Web::AppLogger.send(:method, :format_entry) } }
+  let(:context) do
+    Html2rss::Web::RequestContext::Context.new(
+      request_id: 'req-123',
+      path: '/api/v1/feeds/[REDACTED]',
+      http_method: 'GET',
+      route_group: 'api_v1',
+      actor: nil,
+      strategy: 'faraday',
+      started_at: '2026-03-21T00:00:00Z'
+    )
+  end
+
+  before do
+    Html2rss::Web::RequestContext.set!(context)
+    Html2rss::Web::AppLogger.reset_logger!
+    Html2rss::Web::SecurityLogger.reset_logger!
+    allow(Html2rss::Web::AppLogger).to receive(:logger).and_return(logger)
+    allow(Html2rss::Web::SecurityLogger).to receive(:logger).and_return(logger)
+    allow(Html2rss::Web::Observability).to receive(:logger).and_return(logger)
+  end
+
+  after do
+    Html2rss::Web::RequestContext.clear!
+  end
+
+  it 'redacts feed tokens from token feed request paths' do
+    expect(described_class.sanitize_path('/api/v1/feeds/token-value-123')).to eq('/api/v1/feeds/[REDACTED]')
+    expect(described_class.sanitize_path('/api/v1/feeds/token-value-123.json')).to eq('/api/v1/feeds/[REDACTED].json')
+  end
+
+  it 'replaces logged urls with hashed host metadata' do
+    expected_url = {
+      host: 'news.ycombinator.com',
+      scheme: 'https',
+      hash: Digest::SHA256.hexdigest('https://news.ycombinator.com')[0..11]
+    }
+
+    expect(described_class.sanitize_details(url: 'https://news.ycombinator.com')).to eq(url: expected_url)
+  end
+
+  it 'sanitizes security logger token usage fields' do
+    Html2rss::Web::SecurityLogger.log_token_usage('very-secret-token', 'https://news.ycombinator.com', true)
+    payload = JSON.parse(io.string.lines.last, symbolize_names: true)
+
+    expect(payload.slice(:path, :url, :token_hash)).to eq(
+      path: '/api/v1/feeds/[REDACTED]',
+      url: {
+        host: 'news.ycombinator.com',
+        scheme: 'https',
+        hash: Digest::SHA256.hexdigest('https://news.ycombinator.com')[0..11]
+      },
+      token_hash: Digest::SHA256.hexdigest('very-secret-token')[0..7]
+    )
+  end
+
+  it 'sanitizes observability details' do
+    Html2rss::Web::Observability.emit(
+      event_name: 'feed.render',
+      outcome: 'success',
+      details: { url: 'https://news.ycombinator.com', strategy: 'faraday' }
+    )
+
+    lines = io.string.lines.map { |line| JSON.parse(line, symbolize_names: true) }
+    observability_payload = lines.first
+
+    expect(observability_payload.dig(:details, :url)).to eq(
+      host: 'news.ycombinator.com',
+      scheme: 'https',
+      hash: Digest::SHA256.hexdigest('https://news.ycombinator.com')[0..11]
+    )
+  end
+
+  it 'formats rack-timeout logfmt as json' do
+    logger.info('source=rack-timeout id=req-123 timeout=15000ms state=completed')
+
+    payload = JSON.parse(io.string.lines.last, symbolize_names: true)
+    expect(payload).to include(
+      source: 'rack-timeout',
+      id: 'req-123',
+      timeout: '15000ms',
+      state: 'completed'
+    )
+  end
+end

spec/html2rss/web/request_context_middleware_spec.rb

@@ -17,6 +17,11 @@
     expect(response['X-Request-Id']).not_to be_empty
   end
 
+  it 'redacts feed tokens from request context paths' do
+    response = Rack::MockRequest.new(redaction_app).get('/api/v1/feeds/sensitive-token-value.json')
+    expect(response.body).to eq('/api/v1/feeds/[REDACTED].json')
+  end
+
   private
 
   # @return [Html2rss::Web::RequestContextMiddleware]
@@ -27,4 +32,13 @@ def middleware_app
     end
     described_class.new(app)
   end
+
+  # @return [Html2rss::Web::RequestContextMiddleware]
+  def redaction_app
+    app = lambda do |_env|
+      context = Html2rss::Web::RequestContext.current
+      [200, { 'Content-Type' => 'text/plain' }, [context.path]]
+    end
+    described_class.new(app)
+  end
 end