[FEATURE] Add @ToString.Mask to mask field values with sensitive data in toString method

dome313 commented 5 years ago

When logging certain classes, it would be good not to exclude fields with sensitive data with @ToString.Exclude, but rather just mask their values with arbitrary value, e,g, ****. This would make clear in logs that those fields exist, but that their values are sensitive or personal data. Lomboked version

@ToString
public class Ticket {
  private String row;
  private String seat;
  @ToString.Mask
  private String owner;
}

Generate java code:

@Override
public String toString() {
  return "Ticket(row=" + this.row + ", seat=" + this.seat + ", owner=*******" + ")";
}

The annotation would be nested in ToString annotation and could look like

@Target({ElementType.FIELD, ElementType.METHOD})
@Retention(RetentionPolicy.SOURCE)
public @interface Mask {
  String value() default "********";
}

Target audience would be all developers that need to have logging that complies with GDPR standards.

rspilker commented 5 years ago

Any reason why the contents of the mask needs to be configurable?

dome313 commented 5 years ago

different people have different preferences when masking inputs, some wants to put ******, some use <HIDDEN> and so on... that's the main reason.

below part is optional Also with configurable content, this can be extended to support advanced syntax. For example, lets say that # represent character from the original string, then annotating with

  @ToString.Mask("*******###")
  private String mobileNumber;

would output *******567 for mobile number 0991234567

Maaartinus commented 5 years ago

You'll get most flexibility by using

@ToString.Include(name="owner")
private String ownerForGdpr() {
     return whatever you want
}

I'm not saying that a shortcut like @ToString.Mask wouldn't be useful.

dome313 commented 5 years ago

thanks @Maaartinus, nice one! two downsides:

method per field
changing the field name, requires changing the annotation value

Caleb-C commented 5 years ago

This feature (@ToString.Mask) would be incredibly useful in a number of industries. I would be happy to implement it when I have the time, but would be pleased if someone beat me to it!

rspilker commented 5 years ago

Why would you include such a field in the tostring at all? Using a mask wouldn't add any value to the tostring.

'@ToString.Exclude' removes the entire field from the tostring.

If that's not good enough, and you definitely want to have the field in there with some special rendering, the annotated method is warranted.

Caleb-C commented 5 years ago

There are several cases where it would be useful to mask content: PII, PHI, credit card numbers, passwords, and many more.

It would be much more useful to see that the field is populated (and perhaps the length of string fields) than just leaving the fields out of the log message.

While it is possible to mask the value with a method per field, it would be far easier to use a feature like this.

xenoterracide commented 4 years ago

passwords specifically should leave the length out, as that information can be used for an attack

rzwitserloot commented 4 years ago

Yeah, including length info is right out. I can see just 'rendering' null or, by exception, the blank string if it is a string (and that's a tricky exception to make already, because there are other notions that can be 'empty', such as lists, charsequences, you may have a class CreditCard with a sentinel value called BLANK which you would want to know about...) – and other than that, . Not a bunch of stars, as that wrongly suggests the string is at least that long.

I would accept a PR with it, but, it should have no arguments (not worth the effort or learning curve to let you specify the mask, if we really want this, lombok.config would be a better place for it), the behaviour is the same (field name included, value is ), and let's leave whether to explicitly show nulls and, if the relevant item has a type of String, blanks - okay. (and a string with only whitespace is not 'blank'). Should also work with methods included via @ToString.Include.

eugeneseppel commented 4 years ago

I also vote for this feature to avoid printing high critical PII to debug log. Currently use workaround (thanks to @Maaartinus ) but such approach looks ugly and not error-prone.

rzwitserloot commented 4 years ago

I've reviewed this one, really tried to get to the heart of the cost/benefit here.

Bad news; I am rescinding my earlier promise to accept a PR, and closing the issue. – The feature is not a good idea. I will lay out the reasons for it; this way, if you feel this decision is in error, please delve into the arguments laid out here; show how they are either incorrect or insufficient.

NB: Lombok has millions of users; even hundreds of 'but I like it!' don't move the needle and never will. Lombok is not a popularity contest; feature requests need to include falsifiable reasons, and 'ability to get a few friends to upvote an issue' should not move the needle. For mostly the same reason, "I find this ugly" or "This idea is elegant" are useless arguments. They are not falsifiable; such statements cannot usefully be part of a debate. So please don't make them. They just crowd out the useful debate.

So, what is the benefit in this cost/benefit analysis?

You'd think that the argument here is 'this makes it possible to adhere to regulations and hide sensitive information from logs', but that is NOT correct. Because lombok can already do that for you; you can either go with:

Alternative A:

@ToString.Exclude private String sensitiveField;

Alternative B:

private String sensitiveField;

@ToString.Include(name = "sensitiveField")
private String sensitiveFieldMasker() { return "****"; }

The exclude variant isn't even boilerplate; if that's what you want, it is 100% as good as the mask proposal (in that you need to put an explicit annotation on the field). The masker method solution is some boilerplate, but as I'll show later (in the cost section), also has crucial advantages.

So, the benefit of this feature is only in eliminated the above much more limited boilerplate.

Is that still worthwhile?

I don't think so:

The contrast is forgetting the entire lombok @ToString feature. As a hypothetical, let's say you have 20 fields in the class, and 2 need masking. Without lombok, you let your IDE generate the thing, and manually go in and replace the lines for the 2 masking fields with stars or whatnot.

This has 3 significant costs:

It means you need to redo this every time you change anything about these fields (you add one, or remove one, or rename one...)
It means it's hard to see that these fields are even being masked. somewhere in the lengthy toString impl (lengthy, as it prints 20 fields), there are 2 alternate print strategies.
It means that if you do rework that toString (which, as per point 1 you do a lot), it is somewhat easy to accidentally forget to re-apply the masking code, resulting in a security issue.

And the @ToString.Include alternative solves all 3 of these major issues: You need not mess with anything tostring related when adding or removing or changing non-mask fields, it is easy to see that masking of these sensitive fields is being done, and it's unlikely you'll remove one of these masker methods by accident (the most likely route to an accident is that you rename that field, resulting in the masking method no longer hiding it, as it no longer shares the name now. If this worries you, you can always shove an @Exclude on the field and close this loophole!) Thus, there are only two ways to take this feature request:

It is a feature request for 'let us make our logs properly cleansed of sensitive information', but then the feature is only for the final 20%, as lombok already gives you 80% of what you need or,
It is a feature request for 'I find having to write that one-liner method to mask out the field so annoying, can't you give me a boilerplate buster for THAT? In which case you're asking us to boilerplate-bust a one-liner method that you rarely type (of all fields in all your codebases, how many are sensitive info you still wanna log? 0.01% at best? Literally one-hundred-thousanth as useful as @Getter!)

Thus, the 'benefit' side of the cost/benefit analysis here is really, really low. so low, the feature is probably DOA already. But, it gets worse. A lot worse.

Let's talk about that masking concept: What do people actually WANT here? It is clear to me from this thread that people mean different things when they use the word 'mask':

Some want only to have a marker in the toString output to remind people this field exists; the actual 'value' part needs to be constant. Leaking data, any data at all, about the nature of that value is a potential security issue and is thus explicitly NOT desired (so, if the impl prints either 'null', 'empty', or 'set' and can't print anything else, a minority would still be unhappy. Even if they agree this is extremely unlikely to be an issue, they want to be able to say in their docs that 'nothing about your password is logged, at all, anywhere').
Some want to leak length. Some want this leaked in the form of stars, which seems, frankly, insane as a feature request: I know it's common to star out passwords, but sometimes our ancestors did something incredibly stupid, and we just copy them because we don't think about it. Surely that is the case here: You're asking someone to hold their finger to the screen, and start going 'ooone, two, three....' - imagine it, have a cry, then join me in being amazed at how insane this practice is. IF you want to show the length of a string, then we should print (16 chars) or some such, not *************** (is that 16 stars? You think so? Are you sure? Did you count?). Why do you want to leak length, though? Is that just an inferior stand-in for what you REALLY wanted to know? Such as 'is it a valid credit card number', or 'is it non-blank'? Why don't you ask for what you actually want?
Some want to know if it is set or not, but differ on definitions. Is an empty string 'set' or 'unset'? null is clearly unset, a non-empty string is most likely set, but an empty string? Is that 'set'? Strings aren't the only kind of field. Is an empty list 'set' or 'unset'? What about an AtomicReference object that is referencing null? Is that set or unset? How would lombok possibly know?
Some want to know if something is valid or not. Many numbers, such as social security numbers, IBAN bank account numbers, and credit card numbers, have a 'checksum' of sorts. For example, credit card numbers have to start with 3, 4, 5, or 6, otherwise they are not valid. The xx in this IBAN (bank account number): NLxxBANK0123456789 is a calculation; if you just make up numbers, only 1 in 99 would be considered 'valid' (passing the checksum). Some want to know: Is it a valid IBAN? Is it a valid credit card? The idea being, no doubt, that they want to see if it is set to some fake value (literally NL99NONE000000000), or to a real bank account value.
Some want the data printed out to depend on the context in which the printing occurs. For logs, make it disappear entirely. For in-debug-view, give me a little more. There's nothing toString can do to address this plausibly, but the point is: This IS a use case, and the mask feature DOES NOT cater to it, further eating away at the 'benefit' side.
Some want the data to be analysed for sensitive information, and if it is there, to print it, whereas if it is not, leave it as normal.
Some want the choice of what to print to depend on the dynamic type of the field. For example, a field of type AuthInfo auth needs some custom masking print work if it is an instance of PasswordAuthInfo (let's say you don't have control over their toString because it comes from a third party dep), but you just want the toString as normal if it is an instance of, say, TwitterBasedAuthInfo, because they do want to see the twitter handle and last token update timestamp.
Some want to compare the value to some known SENTINEL value, printing whether it is sentinel or not. For example, you want to hide the birthdate due to regulation requirements, but your entire system uses LocalDate.of(1800, 1, 1) as a sentinel to mean: "Unknown birthdate". If the value is sentinel, you want to print the sentinel, or print some alternate string, whereas anything else should be masked as normal.
Some want torender a subset of the information which can be provided without running afoul of regulations. For example, instead of printing birthdate, print from a baked in set of population ranges. For example, print 'adult' if 18+ years old, 'child' if not, 'unset' if null, 'invalid' if in the future. For a postal code, print only the first 3 digits. Etcetera.

And the list goes on.

The ability to let the programmer decide, in terms of java code and not some ersatz really crappy DSL (annotation params are a really bad DSL!), is a significant advantage of the @ToString.Include solution. You can do everything in that above list, fairly simply.

This leaves us with only 2 options, and they both lead to the same conclusion:

This feature will not cater to all these varied requests, which means in practice we're pushing the needle from 'lombok gives you 80% of what you want' to 'lombok gives you maybe 85% of what you want'. I don't think that last 20% is enough to warrant this feature. 5% definitely isn't enough, so this leads to the conclusion that the feature should not be added.
The feature does cater to all these varied requests and is as a consequence very complicated. The benefit is now pushed up from 80% to 95%, but the costs are also MUCH larger: Far more dev time, far more maintenance burden, and a continuous effort to keep it up to date with well known types and particular masking behaviors. The fact that that the traffic on this issue seems to suggest that everyone thinks 'masking' means one thing, whereas it doesn't, also means there is a risk that lombok is making it way too easy to write code with security issues, because the users of this feature would misunderstand what 'mask' means. The conclusion is that the feature should not be added.

And there you have it. No matter which way we do it, the end result would be bad.

I do hope nobody was already on a PR for this. I apologize for jumping the gun on promising we'd accept one.

juriad commented 4 years ago

Not working on a PR, don't worry ;-) I personally do not need masking at all and am happy with the current options. I mostly agree with you that @ToString.Exclude and @ToString.Include with a custom method solve most cases.

I want to point out one issue which has not been discussed yet and might bring us to a solution which people desire. Writing custom masking methods and annotating them with @ToString.Include might be tedious; also many of these methods will be exactly the same.

Let me propose one solution and see where it can lead us. As far as I understand you reasoning, my proposal does not contradict it.

Static methods

What if we refactored masking methods into static methods in some other class? Lombok could then easily wrap the value with a static method call. This would work nicely with @UtilityClass.

The following code:

private final String password;

@ToString.Include(name="password")
private void maskedPassword() {
  return password == null ? null : "*****";
}

Could be instead written as:

package my.company.is.the.greatest;
@UtilityClass class Maskers {
  private String maskedPassword(String password) {
    return password == null ? "none" : "*****";
  }
}

And then later used as:

@ToString.Mask(method="my.company.is.the.greatest.Maskers.maskedPassword")
private final String password;

Configuration

Since a user is required to fill the fully qualified name of a method every time, there is little advantage to it; we cannot easily use static imports (which would make it shorter) because IDEs might be removing them when organizing imports.

Let's think about shortening the fully qualified name. We can introduce lombok.config configuration such as:

lombok.toString.masker.package=my.company.is.the.greatest used as @ToString.Mask(method="Maskers.maskedPassword")
lombok.toString.masker.class=my.company.is.the.greatest.Maskers used as @ToString.Mask(method="maskedPassword")
lombok.toString.masker.aliases=password=my.company.is.the.greatest.Maskers.maskedPassword,... used as @ToString.Mask(name="password"), or even: @ToString.Mask (assuming that the name of the field is equal to the alias)

The last one is clearly superior.

The annotation would have two parameters which are mutually exclusive:

method - FQN of a static method, or a static method on Self if the method does not contain .
name - reference to a definition in lombok.toString.masker.aliases
none - works as if name was set to the name of the field

Null handling

Some maskers might want to handle null themselves; most often the default implementation is good enough (prints null). The annotation could be parametrized by @ToString.Mask(..., handleNull=true) (false by default). The default could be configurable. On the other hand, this bit brings just too much complexity and it might be easier to have the user always handle nulls.

Related features

This feature would allow to transform value for use in the toString generator. Could Lombok use this elsewhere?

I can think of a @Getter which a user might want to configure similarly - do a defensive copy / wrap value with unmodifiableCollection(...); this could be achieved by something like @Getter.Transform.
@Setter could want the same (copy list; trim string).
If we do with extending setters, we could do the same with @*ArgsConstructor.

We already have @Builder.ObtainVia which can call a static method on Self and pass it this. Would it be useful to extend it to be able to call a static method on a different class?

Naming

This feature could turn into more than masking; it could be:

formatting (dates, phone numbers),
escaping (non-ascii unicode characters, control characters),
excerpting (first sentence, couple items from a list),
masking (passwords, phone numbers).

We should also consider naming consistency with the related features.

I don't think we should call it @ToString.Mask. I leave the question of choosing name open. We might want to start the discussion over in a new issue.

ArnauAregall commented 4 years ago

Don't want to "wake the dead", but... how about this?:

@ToString.Pattern(pattern = java.lang.String, match = boolean)

Flexible
Decision to include it in toString() is simply checking java.lang.Pattern.matches(pattern, fieldValue) == match.
Should make the trick for masking/excluding fields. If you want to mask only concrete parts of a String, do it yourself (ie: in case needed for logs, apply mask on appender config).

bogdartysh commented 2 years ago

I mostly agree with you that @ToString.Exclude and @ToString.Include with a custom method solve most cases.

even so in 80% of cases it's ok, 20% of a project with gigabytes of code is a lot of work to do...

toString(){
 return field == null? null: "xxxxxx"
}

so as if field is nul I think it's interesting....

and in 5% of cases the logic would be more complicated:

toString(){
 return field == null? null: toString()[n_first_characters] + "xxxxxx" + toString()[n_last_characters]
}

wolfiesonfire commented 2 years ago

@dome313 @Maaartinus @Caleb-C @eugeneseppel @juriad

I recently had this kind of request and implement with few code.

Use like this.

First define a tool.

package com.example;

public class DesensitizeUtil {

    /**
     * replace as * from 5 ~ 8
     */
    public static String desensitize(String param) {
        return param.substring(0, 4) + "****" + param.substring(8);
    }

}

Use ToString.Handler on your entity, with specify the method above.

package com.example;

import lombok.Data;
import lombok.ToString;

@Data
public class User {

    // class 2 method name
    @ToString.Handler("com.example.DesensitizeUtil.desensitize")
    private String password;

    // class and method name
    @ToString.Handler(handlerClass = DesensitizeUtil.class, handlerMethod = "desensitize")
    private String bankcard;

}

https://github.com/wolfiesonfire/lombok-desensitize

rzwitserloot commented 2 years ago

@ArnauAregall wrote:

Don't want to "wake the dead", but... how about this?: @ToString.Pattern(pattern = java.lang.String, match = boolean)

This isn't legal java and makes no sense to me. match = boolean? What does that mean? I'm not sure I understand what you're proposing.

rzwitserloot commented 2 years ago

@ToString.Handler("com.example.DesensitizeUtil.desensitize")

Shoving FQN classnames in a string literal is vetoed. We don't like 'stringly typed' anything in java; we introduced it ourselfs in e.g. @EqualsAndHashCode(of = "fieldname") and have addressed our own errors there by introducing @EqualsAndHashCode. There could be @ToString.Handler(PasswordDesensitizer.class), which also fixed your dubious naming practice there (DensitizeUtil? Oof. Just Desensitizer seems right). We could default to having the 'handler' method be named apply or some such, letting you specify a different name if you must. Or even that maskers MUST implement UnaryOperator<T>, thus, we know the method name: apply. Unfortunately, we'd have to construct a class every time which is a bit of a waste, so perhaps we do need a name... and then we're back in stringly typed territory, ugh.

All that pain and crappy implementation, and for what? To address a dubious practice (I think you're in a bit more trouble than just needing to fix some toStrings if sensitive info makes it quite this far), and to avoid the boilerplate of:

@ToString.Include
private String bankcard() {
  return bankcard == null ? "null" : "****";
}

That's not good enough. Issues stays closed until someone comes up with a better plan than this.

sumitnsit commented 1 year ago

This annotation will be really helpful to avoid printing PII information in logs. There is no point adding @ToString.Exclude and then @ToString.Include in the code for each field.

@ToString.Mask(regEx, replaceString)

e.g.

@ToString.Mask("(?=.{4})", "*") String accountId;

So account id 1234567890 will be printed as **7890 in toString method.

projectlombok / lombok