如何屏蔽JSON中的敏感值以进行记录 [英] How to mask sensitive values in JSON for logging purposes
问题描述
我有几种相似的JSON结构,我想将它们写到SQL表中以进行日志记录.但是,JSON中的某些字段包含敏感信息,我想部分屏蔽这些信息,以便在日志中看不到完整值.
I have several similar JSON structures that I want to write into a SQL table for logging purposes. However, some of the fields in the JSON contain sensitive information, which I want to partially mask so the full value is not visible in the log.
这是JSON结构之一的示例:
Here is an example of one of the JSON structures:
{
"Vault": 1,
"Transaction": {
"gateway": {
"Login": "Nick",
"Password": "Password"
},
"credit_card": {
"number": "4111111111111"
}
}
}
在这种情况下,我试图更改4111
信用卡号,以使其在JSON中看起来像4xxx1111
.我正在使用Newtonsoft,并且已将JSON反序列化为JObject
,但是我仍然对如何屏蔽该值感到困惑.我认为线索与JToken
有关,但尚未弄清楚.我想使该解决方案尽可能通用,以便它可以与我可能需要注销的任何JSON结构一起使用.
In this case I'm trying to change the 4111
credit card number so that it appears like 4xxx1111
in the JSON. I am using Newtonsoft and have deserialized the JSON into a JObject
, but I am stuck on how to mask the value. I think the clue is something with JToken
, but haven't figured it out yet. I'd like to make the solution as generic as possible so that it will work with any JSON structure that I might need to log out.
任何帮助将不胜感激.
推荐答案
以下是我认为我会采用的方法:
Here is the approach I think I would take:
-
创建一个辅助方法,该方法可以采用字符串值,并以您所需的日志方式遮盖它.也许像这样,例如:
Make a helper method that can take a string value and obscure it in the manner you require for your log. Maybe something like this, for example:
public static string Obscure(string s)
{
if (string.IsNullOrEmpty(s)) return s;
int len = s.Length;
int leftLen = len > 4 ? 1 : 0;
int rightLen = len > 6 ? Math.Min((len - 6) / 2, 4) : 0;
return s.Substring(0, leftLen) +
new string('*', len - leftLen - rightLen) +
s.Substring(len - rightLen);
}
制作另一个可以接受JToken
和 JSONPath 列表的帮助器方法.表达式.在此方法中,使用SelectTokens
将每个路径与令牌的内容进行匹配.对于找到的每个匹配项,请使用第一个辅助方法将敏感值替换为模糊的版本.
Make another helper method that can accept a JToken
and a list of JSONPath expressions. In this method, match each path against the contents of the token using SelectTokens
. For each match found, use the first helper method to replace the sensitive value with an obscured version.
public static void ObscureMatchingValues(JToken token, IEnumerable<string> jsonPaths)
{
foreach (string path in jsonPaths)
{
foreach (JToken match in token.SelectTokens(path))
{
match.Replace(new JValue(Obscure(match.ToString())));
}
}
}
最后,为要在所有期望的JSON主体之间模糊的值编译JSONPath表达式列表.从上面的示例JSON中,我认为您希望掩盖Password
的任何位置,如果number
出现在credit_card
内部,则应该掩盖它.以JSONPath表示,它们分别为$..Password
和$..credit_card.number
. (请记住,JSONPath表达式在Json.Net中是区分大小写的.)将此列表放在某个配置设置中,以便您可以在需要时轻松进行更改.
Finally, compile a list of JSONPath expressions for the values that you want to obscure across all the JSON bodies you expect to get. From your example JSON above, I think you would want to obscure Password
wherever it occurs and number
if it occurs inside credit_card
. Expressed as JSONPath, these would be $..Password
and $..credit_card.number
, respectively. (Keep in mind that JSONPath expressions are case sensitive in Json.Net.) Take this list and put it into a configuration setting somewhere so you can change it easily when you need to.
现在,每当您要注销一些JSON时,只需执行以下操作:
Now, whenever you want to log out some JSON, just do this:
JToken token = JToken.Parse(json);
string[] jsonPaths = YourConfigSettings.GetJsonPathsToObscure();
ObscureMatchingValues(token, jsonPaths);
YourLogger.Log(token.ToString(Formatting.None));
演示小提琴: https://dotnetfiddle.net/dGPyJF
这篇关于如何屏蔽JSON中的敏感值以进行记录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!