Logged secrets when :client-id is nil #434
Assignees
Labels
Comments
ptaoussanis
added a commit
that referenced
this issue
Aug 30, 2023
Motivations for change:
1. Full ring req is an unnecessary amount of info, and may
produce a lot of log noise.
2. Sensitive info can be (and often is) in ring requests.
3. Users can anyway catch the exception which includes the
request if they really need it.
Thanks to @NoahTheDuke for the report!
|
@NoahTheDuke Hi Noah! Thanks for the clear description of the problem, that was very helpful 🙏 I definitely consider this a bug, there's no need to print the full Ring request here - and the risk is better avoided. I've just pushed Sorry about the trouble! Cheers :-) |
|
Damn, that's so quick! Thank you! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hey Peter!
We use Integrant to do state management and use middleware to attach the subsystems to each request:
(-> req (assoc :system/db (:db system)) ...). Occasionally, there's a faulty connection (hard to tell exactly why or how, we're still diving into a related issue) and the:client-idisnil, which trips the line below. This logs the gigantic request to our logs, which includes things like production secrets that are stored in memory only.Would it be possible to add a flag or some configuration to allow us to avoid logging in this case? We're already dealing with the thrown exception and can log a redacted form of the request as desired.
sente/src/taoensso/sente.cljc
Line 752 in b746080
The text was updated successfully, but these errors were encountered: