-
Notifications
You must be signed in to change notification settings - Fork 890
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(serializers): avoid implicit sanitization #2081
base: main
Are you sure you want to change the base?
feat(serializers): avoid implicit sanitization #2081
Conversation
lib/proto.js
Outdated
} else if (_obj instanceof IncomingMessage) { | ||
obj = { [requestKey]: _obj } | ||
} else if (_obj instanceof ServerResponse) { | ||
obj = { [responseKey]: _obj } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If preferred, we can assess type from properties, as previously done in lib/tools.js
:
} else if (_obj.method && _obj.headers && _obj.socket) {
obj = { [requestKey]: _obj }
} else if (typeof _obj.setHeader === 'function') {
obj = { [responseKey]: _obj }
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think property presence will be better here. These could be extended objects, e.g. a FastifyRequest
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
lib/tools.js
Outdated
} else if (key === requestKey && serializers.req) { | ||
value = serializers.req(value) | ||
} else if (key === responseKey && serializers.res) { | ||
value = serializers.res(value) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Behaviour of all stdSerializers
follow the same pattern.
/** | ||
* The string key for the 'Request' in the JSON object. Default: "req". | ||
*/ | ||
requestKey?: string; | ||
/** | ||
* The string key for the 'Response' in the JSON object. Default: "res". | ||
*/ | ||
responseKey?: string; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The key for request and response are now explicitly configurable. Previously, these had fixed values, set on pino-std-serializers (mapHttpRequest and mapHttpResponse).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe this change makes the exported functions mapHttpRequest
and mapHttpResponse
deprecated, in pino-std-serializers?
f705b9c
to
a3b1681
Compare
test/http.test.js
Outdated
@@ -160,34 +154,31 @@ test('http response support', async ({ ok, same, error, teardown }) => { | |||
server.close() | |||
}) | |||
|
|||
test('http response support via a serializer', async ({ ok, same, error, teardown }) => { | |||
test('http response support via a serializer', async ({ match, error }) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you please keep the previous test and only add a new one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Original tests restored. Also fixed linter issues.
ok, I was running isolated tests and only now I noticed there were some assertions on the default serialisers; I am fixing them right now and soon the tests will be fixed; sorry for the silly mistake |
hey, @mcollina, are these the changes you expected? is there something that needs improvement or still missing? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The issue mentioned deprecating the current implementation and switching to the new one in the next major. I don't see this being implemented in this PR. Have I missed it?
lib/proto.js
Outdated
} else if (_obj instanceof IncomingMessage) { | ||
obj = { [requestKey]: _obj } | ||
} else if (_obj instanceof ServerResponse) { | ||
obj = { [responseKey]: _obj } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think property presence will be better here. These could be extended objects, e.g. a FastifyRequest
.
This changeset only modifies the following behviour: neither logged Request nor Response objects are not transformed by their corresponding This change in behaviour is asserted in test/http.test.js, lines 86 and 240, with tests that create an arbitrary property that should be removed from them, if their standard serializers ran. |
This is a breaking change, correct? |
Yes, this is correct. When custom serializers are provided and they depend on the changes made by the standard serializers on the target objects (ie: to sanitize them?), they will be impacted. Though running standard serializers when custom serializers are given is not exaclty obvious behaviour -- and I think nor documented --, I understand there might be code in the wild that dependes on it (Hyrum's Law) and publishing this as breaking change should be the safest strategy. |
Then we are missing the deprecation and opt-in for the current version. |
I'm sorry, but I'm not familiar with the versioning process in Pino -- I've already checked CONTRIBUTING.md. Would it suffice updating major version in package.json? Could you, please help me? |
Either @mcollina or I will handle incrementing the version when we publish. What the original discussion called for, and what is missing here, is the deprecation of the current behavior so that people are alerted to the change in default behavior in the next major release. See the following examples: Lines 416 to 423 in ba31fc1
Lines 430 to 434 in ba31fc1
We could introduce a PR that only adds the deprecation notice, issue a release with that, and then merge this one (with it removing the notice) and issue a new major. But we still haven't finished updating all of the org's maintained modules for v9. So I'm not sure we have much appetite for a new major so soon after v9 right now. |
hey, @jsumners, I'm sorry, but I still don't get it. No property has been deprecated nor renamed -- and I believe the explanation of the change in behaviour would be somewhat lengthy for a warning message. Also, I don't see any example of |
|
86e666f
to
6cde4f5
Compare
When serializers are defined for HTTP Request or HTTP Response, do not run the correspondent `stdSerializers` before calling the provided serializer functions. ISSUE pinojs#1991
6cde4f5
to
da9a16f
Compare
hey, @jsumners and @mcollina, I created the opts property |
@@ -83,6 +83,81 @@ test('http request support via serializer', async ({ ok, same, error, teardown } | |||
server.close() | |||
}) | |||
|
|||
test('http request support via serializer (avoids stdSerializers)', async ({ test }) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I noticed this library didn't have any nested test before. I think this makes it easier to identify and clean-up the tests that asserts the old behaviour when the new version will be released. If avoiding nested tests was intentional, these can be easily refactored.
* on a opt-in basis, anticipating behavior of the next major-version. All future flag must be frozen as false. These | ||
* future flags are specific to Pino major-version 9. | ||
*/ | ||
const future = Object.freeze({ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I noticed Object.freeze
is not used for default configuration. This can be easily refactored, if avoiding this feature is intentional.
When serializers are defined for HTTP Request or HTTP Response, do not run the correspondent
stdSerializers
before calling the provided serializer functions.ISSUE #1991