[💡 Feature]: Proper masking for reporters, logging, and multiple emit events

[dprevost-LMI]

Is your feature request related to a problem?

Sometimes, even when using test data, we want to prevent some information from being outputted in logs or reports. Today, in wdio, no configuration allows such behaviour. Therefore, we need a proper masking mechanism. The focus here is mainly on the reporters.

The request was triggered primarily to mask the test user's password from the report. This password is sent using the elementSendKeys command, and the text value can be found in the body.text property.

The idea is to implement a mechanism to prevent reporters from accessing sensitive data. To achieve that, we must do it in the webdriver package and, more specifically, in the command.ts, where it triggers the HTTP request to appium and emits the sensitive data as a 'request,' 'performance,' or 'result' event. Moreover, we have some loggers that log sensitive data.

While being on the topic, possible other touchpoints to keep in mind:

• appium have log filters even though it is hard to use.
• BrowserStack has maskCommand even though it's an all-or-nothing. But, it might not mask information in Percy or Insight tools.

Describe the solution you'd like.

As mentioned, since in command.ts, there are several emit and also logging of the sensitive data, the only way to have a solid mechanism is to mask the data there and pass the masked data to everything else besides the HTTP request to appium

The emit events request.performance, command, result, request, and performance were all reviewed to pass the masked body and ensure that sensitive data was concealed.

Some logging with the keywords DATA and COMMAND were also reviewed to pass the proper masked data so we do not leak sensitive information.

Since we pass the masked body to the emit event command and result, all Reporters and BrowserStack tools receive the masked text and will no longer show sensitive data in reports. Note that BrowserStack Text Logs is not affected at all by that, and their maskCommand mechanism still needs to be used!

To use this new mechanism, we must pass the capabilities wdio:maskingPatterns, where it is a RegExp on which we apply .toString(). Otherwise, there is some serialization mechanism losing the literal RegExp value.

Describe alternatives you've considered.

At first, we thought of masking on the onBeforeCommand and onAfterCommand, but the sensitive data would have leaked in other places, like logging.

Additional context

An example of masking after enabling the wdio logger at the INFO level.

Code of Conduct

• I agree to follow this project's Code of Conduct

[wdio-bot]

Thanks for reporting!

We greatly appreciate any contributions that help resolve the bug. While we understand that active contributors have their own priorities, we kindly request your assistance if you rely on this bug being fixed. We encourage you to take a look at our contribution guidelines or join our friendly Discord development server, where you can ask any questions you may have. Thank you for your support, and cheers!

[christian-bromann]

The best place to handle this type of filter for all services and reporters is within the webdriver package. If we implement it there, the filter option should be part of the webdriver package as well.

[dprevost-LMI]

@christian-bromann I reviewed the solution, and I'm now masking in the webdriver package when we send the HTTP request with the non-masked version. All logging and emitting are covered; let me know what you think! If it is correct, I will move forward with the unit test and more if needed

[dprevost-LMI]

🤔 I never linked the issue with the PR. Here we go, the PR: #13938

[christian-bromann]

Copying this over for visibility:

---

Just to note here: we are working with different logs:

• WDIO logs like in this screenshot:
  
• Appium logs that Appium is creating and may be intercepted by WebdriverIO
• Vendor logs

It would be awesome if the solution:

• sends the actual value to Appium, e.g. when calling $('selector').setValue(process.env.SECRET_PASSWORD) but masks them in the wdio logs which requires changes to transformCommandLogResult
• applies automatically log filters to Appium when user uses @wdio/appium-service and warns the user to apply them when an independent Appium server is being used

I am open to how the mask option look like as long as it is intuitive. Maybe there is an NPM package that detects secrets and can give us an indication whether we should mask it. Otherwise aligning with what Appium does makes total sense to me.

I don't think we can do anything about what the Vendor displays in their UI.

[dprevost-LMI]

WDIO logs like in this screenshot:
Just to clarify, the screenshot is the appium one, not the WDIO one, but they are very similar!

We could choose solution # 1, mostly as you describe it, @christian-bromann. Additionally, solution # 2 could be nice and require just a little more effort!

Solution # 1
The most secure one is where we mask both WDIO and Appium the same way you describe.

• The burden is to find a proper regEx fitting potentially custom data unless, like me, you can enter a fixed token as in a password
• Honestly, the appium way with the log filter, I do not find it "intuitive" since I had to be creative to find a proper RegEx and "inject" my token.
• If, for example, you deal with some accessKey that you cannot change, you can go with the length, but we had that, and it was colliding with a random value generated by Faker for test data.
• Even with the above, I agree with your proposed approach, and if I can filter in the function you mention and inject the RegExp to the appium config, it would be the best and most solid
• To be clear, on top of the logs, I would, as I did in the PR, obfuscate the data emitted on performance, result, request in order for Reporter and some BrowserStack tool not to leak the sensitive data

Solution # 2
To have more flexibility and not have to find a creative Regex or change your secret to contain a token, the alternative would be to inject a token on setValue and remove it with RegEx when you have a matching group before sending it! However, I would have to document the following:
⚠️ Using group matching to remove a given token injected on the setValue makes it vulnerable to be found in Appium Logs; you MUST DISABLED appium logs to have a secured solution

Both solutions could be implemented since they are RegExp-based, and removing a string from a match group is one or two more code lines!

Let me know what you thing!

Maybe there is an NPM package that detects secrets and can give us an indication whether we should mask it.

I will try to look into that, but I have not done so yet!

I don't think we can do anything about what the Vendor displays in their UI.

I assume you refer to BrowserStack (and maybe other). I tried to mask the Text Logs thinking the source of their data was from WDIO, but it did not seem to be. So yes, most likely for Vendor, we cannot do anything!
I hope someone from BrowserStack could hear us and jump it and help us, but most likely it will not happen before I can finish my solution 😉