From 088b1cf9efef901ddd5475be74975967b1dddf34 Mon Sep 17 00:00:00 2001
From: aayushbaluni <73417844+aayushbaluni@users.noreply.github.com>
Date: Wed, 15 Apr 2026 15:50:50 +0530
Subject: [PATCH] fix(security): redact secrets from config startup log
 (CWE-532)

config/config.js logs the full config object including cookieSecret,
cryptoKey, and the MongoDB connection URI on every startup via
console.log(util.inspect(config)). In production, stdout feeds
into centralized logging (CloudWatch, ELK, etc.), exposing secrets
to anyone with log access.

Gate config logging behind NODE_ENV=development + DEBUG_CONFIG env var,
and redact sensitive values when logging is enabled.

Fixes #390

Made-with: Cursor
---
 config/config.js | 36 ++++++++++++++++++++++++++++++++++--
 1 file changed, 34 insertions(+), 2 deletions(-)

diff --git a/config/config.js b/config/config.js
index 33f3bb69d7..271f7ac95c 100644
--- a/config/config.js
+++ b/config/config.js
@@ -9,7 +9,39 @@ const envConf = require(path.resolve(__dirname + "/../config/env/" + finalEnv.to
 
 const config = { ...allConf, ...envConf };
 
-console.log(`Current Config:`);
-console.log(util.inspect(config, false, null));
+function redactMongoConnectionString(uri) {
+    if (typeof uri !== "string" || !uri) {
+        return uri;
+    }
+    try {
+        const parsed = new URL(uri);
+        if (parsed.username || parsed.password) {
+            parsed.username = "***";
+            parsed.password = "***";
+        }
+        return parsed.toString();
+    } catch (e) {
+        return "[redacted-db-uri]";
+    }
+}
+
+function sanitizeConfigForLog(cfg) {
+    const sanitized = { ...cfg };
+    if (Object.prototype.hasOwnProperty.call(sanitized, "cookieSecret")) {
+        sanitized.cookieSecret = "[redacted]";
+    }
+    if (Object.prototype.hasOwnProperty.call(sanitized, "cryptoKey")) {
+        sanitized.cryptoKey = "[redacted]";
+    }
+    if (Object.prototype.hasOwnProperty.call(sanitized, "db")) {
+        sanitized.db = redactMongoConnectionString(sanitized.db);
+    }
+    return sanitized;
+}
+
+if (process.env.NODE_ENV === "development" && process.env.DEBUG_CONFIG) {
+    console.log("Current Config:");
+    console.log(util.inspect(sanitizeConfigForLog(config), false, null));
+}
 
 module.exports = config;