[test] vitest can leak secrets in pipeline output

[timovv]

When a test fails with an error, vitest outputs a JSON serialization of the error object to console. This is helpful when debugging, but can cause information that would have otherwise been sanitized to be output in pipeline runs, like in this example where an access token showed up (MS internal link): https://dev.azure.com/azure-sdk/internal/_build/results?buildId=3768430&view=logs&j=8f098e13-557e-5a76-9331-06424800e0fa&t=5005ede9-2880-5bbf-ce42-ae979164a4d1&l=105. Is it possible to suppress this output or sanitize it somehow in the pipeline?

Cc @mpodwysocki

[xirzec]

/cc @jeremymeng

[jeremymeng]

I wonder whether we should remove the request object from the RestError object, or sanitize it by default?

[timovv]

I feel like there are definitely production use cases where customers would want to see the content of the request in an error case. Sometimes there may be secrets in the response as well, which is an even more useful property. Maybe it would be possible to sub in a different mock implementation of RestError during tests that doesn't have this information, or sanitizes things? (this is if Matt's current PR doesn't fix the problem, I haven't had a chance to test that yet)

[jeremymeng]

I am a little concerned because error objects most likely get logged all the time.

[timovv]

Yeah I agree that is a concern. I guess there are a few different ways people could log the error:

• Error toString -- we don't override the default implementation, which only includes the message and name of the error, so this should be clean
• Looks like we already sanitize for util.inspect: https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/core/core-rest-pipeline/src/restError.ts#L84-L86, so this one is good too
• JSON.stringify is problematic since this dumps the entire error object. We could override toJSON to sanitize the values here? I suspect this is what vitest is using to get that output but not sure