如何屏蔽JSON中的敏感值以进行记录 [英] How to mask sensitive values in JSON for logging purposes
问题描述
我有几种相似的JSON结构,我想将它们写到SQL表中以进行日志记录.但是,JSON中的某些字段包含敏感信息,我想部分屏蔽这些信息,以便在日志中看不到完整值.
I have several similar JSON structures that I want to write into a SQL table for logging purposes. However, some of the fields in the JSON contain sensitive information, which I want to partially mask so the full value is not visible in the log.
这是JSON结构之一的示例:
Here is an example of one of the JSON structures:
{
"Vault": 1,
"Transaction": {
"gateway": {
"Login": "Nick",
"Password": "Password"
},
"credit_card": {
"number": "4111111111111"
}
}
}
在这种情况下,我试图更改4111信用卡号,以使其在JSON中看起来像4xxx1111.我正在使用Newtonsoft,并且已将JSON反序列化为JObject,但是我仍然对如何屏蔽该值感到困惑.我认为线索与JToken有关,但尚未弄清楚.我想使该解决方案尽可能通用,以便它可以与我可能需要注销的任何JSON结构一起使用.
In this case I'm trying to change the 4111 credit card number so that it appears like 4xxx1111 in the JSON. I am using Newtonsoft and have deserialized the JSON into a JObject, but I am stuck on how to mask the value. I think the clue is something with JToken, but haven't figured it out yet. I'd like to make the solution as generic as possible so that it will work with any JSON structure that I might need to log out.
任何帮助将不胜感激.
推荐答案
以下是我认为我会采用的方法:
Here is the approach I think I would take:
-
创建一个辅助方法,该方法可以采用字符串值,并以您所需的日志方式遮盖它.也许像这样,例如:
Make a helper method that can take a string value and obscure it in the manner you require for your log. Maybe something like this, for example:
public static string Obscure(string s)
{
if (string.IsNullOrEmpty(s)) return s;
int len = s.Length;
int leftLen = len > 4 ? 1 : 0;
int rightLen = len > 6 ? Math.Min((len - 6) / 2, 4) : 0;
return s.Substring(0, leftLen) +
new string('*', len - leftLen - rightLen) +
s.Substring(len - rightLen);
}
制作另一个可以接受JToken和 JSONPath 列表的帮助器方法.表达式.在此方法中,使用SelectTokens将每个路径与令牌的内容进行匹配.对于找到的每个匹配项,请使用第一个辅助方法将敏感值替换为模糊的版本.
Make another helper method that can accept a JToken and a list of JSONPath expressions. In this method, match each path against the contents of the token using SelectTokens. For each match found, use the first helper method to replace the sensitive value with an obscured version.
public static void ObscureMatchingValues(JToken token, IEnumerable<string> jsonPaths)
{
foreach (string path in jsonPaths)
{
foreach (JToken match in token.SelectTokens(path))
{
match.Replace(new JValue(Obscure(match.ToString())));
}
}
}
最后,为要在所有期望的JSON主体之间模糊的值编译JSONPath表达式列表.从上面的示例JSON中,我认为您希望掩盖Password的任何位置,如果number出现在credit_card内部,则应该掩盖它.以JSONPath表示,它们分别为$..Password和$..credit_card.number. (请记住,JSONPath表达式在Json.Net中是区分大小写的.)将此列表放在某个配置设置中,以便您可以在需要时轻松进行更改.
Finally, compile a list of JSONPath expressions for the values that you want to obscure across all the JSON bodies you expect to get. From your example JSON above, I think you would want to obscure Password wherever it occurs and number if it occurs inside credit_card. Expressed as JSONPath, these would be $..Password and $..credit_card.number, respectively. (Keep in mind that JSONPath expressions are case sensitive in Json.Net.) Take this list and put it into a configuration setting somewhere so you can change it easily when you need to.
现在,每当您要注销一些JSON时,只需执行以下操作:
Now, whenever you want to log out some JSON, just do this:
JToken token = JToken.Parse(json);
string[] jsonPaths = YourConfigSettings.GetJsonPathsToObscure();
ObscureMatchingValues(token, jsonPaths);
YourLogger.Log(token.ToString(Formatting.None));
演示小提琴: https://dotnetfiddle.net/dGPyJF
这篇关于如何屏蔽JSON中的敏感值以进行记录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
