Skip to content

log: sensitive data redaction

Created by: bobheadxi

Raised by @varungandhi-src :

A couple of days back, I'd flagged some security related concerns with how we aren't very careful around logging api.RepoName values today. Swift's logging is an interesting bit of prior art in this space:

When you include an interpolated string or custom object in your message, the system redacts the value of that string or object by default. This behavior prevents the system from leaking potentially user-sensitive information in the log files, such as the user’s account information. If the data doesn’t contain sensitive information, change the privacy option of that value when logging the information. In the following code example, the system redacts the account information in the first log message, but displays the user’s selection in the second log message:

logger.log("Paid with bank account \(accountNumber)")   // Redacted!
logger.log("Ordered smoothie \(smoothieName, privacy: .public)")  // Visible

If we had such a solution, I think it would significantly reduce the risk of accidentally leaking private information in logs.

Even if having out-of-the-box support for redaction is out-of-scope for now, I think we should have this in mind as something that needs to be tackled in the future. I skimmed through zap's docs and I didn't see any mention of redaction. So if we migrate to zap and that makes implementing redaction support difficult, that would be an undesirable outcome IMO.

For a broad and generalized implementation, looks like it's not super easy but has been done (by none other than Matt Holt):

Similar reference: uber-go/zap#547 (comment)

all assuming we go with Zap, to which there has been no objections so far