search

rollbar / Rollbar.NET

Rollbar for .NET
https://docs.rollbar.com/docs/dotnet
MIT License
65 stars 44 forks source link

A lot of notifier properties come through when logging a request, including access token. #644

Closed beeradmoore closed 5 months ago

beeradmoore commented 1 year ago

Describe the bug A lot of notifier properties come through when logging a request with Rollbar.NET. Comparing to our php project it sends through 2 properties in notifier.*, in our .NET project it sends through 59. Main concern is it also sends through the token.

To Reproduce

  1. Create new project.
  2. Setup a logger like so 
    var rollbarToken = "myRollbarToken";
var rollbarEnvironment = "myEnv";
var rollbarConfig = new RollbarInfrastructureConfig(
rollbarToken,
rollbarEnvironment
);
RollbarInfrastructure.Instance.Init(rollbarConfig);
  3. Log a message 
    RollbarLocator.RollbarInstance.AsBlockingLogger(TimeSpan.FromSeconds(5)).LogError(new Exception("test 1"));

Expected behavior An error event is triggered which tells you about an exception labelled "test 1", and also does not expose my rollbar config.

Screenshots N/A

Rollbar Client - Rollbar.NET Hosting Environment (please complete the following information):

Additional context The payload for the event listed in rollbar for the above log would look somethng like this (this was captured via debug on macOS so it may not align 100%, I can fetch the actual result later)

{
  "body": {
    "trace": {
      "frames": [
        {
          ...
        },
        {
            ...
        }
      ],
      "exception": {
        "message": "test 1",
        "class": "System.Exception"
      }
    }
  },
  "uuid": "23921fefsdfjsdi",
  "language": "c#",
  "level": "error",
  "timestamp": 1687390305,
  "custom": {},
  "environment": "myEnv",
  "platform": "....",
  "framework": ".NETCoreApp,Version=v6.0",
  "notifier": {
    "version": "5.2.0",
    "infrastructure_options": {
      "RollbarLoggerConfig": {
        "RollbarPayloadAdditionOptions": {
          "Person": null,
          "CodeVersion": null,
          "Server": null
        },
        "HttpProxyOptions": {
          "ProxyAddress": null,
          "ProxyUsername": null,
          "ProxyPassword": null
        },
        "RollbarDeveloperOptions": {
          "WrapReportedExceptionWithRollbarException": true,
          "LogLevel": "debug",
          "RethrowExceptionsAfterReporting": false,
          "Enabled": true,
          "PayloadPostTimeout": "00:00:30",
          "Transmit": true
        },
        "RollbarDataSecurityOptions": {
          "IpAddressCollectionPolicy": "Collect",
          "PersonDataCollectionPolicies": "None",
          "ScrubSafelistFields": [],
          "ScrubFields": [
            "Password",
            "passwd",
            "confirm_password",
            "password_confirmation",
            "accessToken",
            "auth_token",
            "authentication",
            "secret"
          ]
        },
        "RollbarDestinationOptions": {
          "Environment": "myEnv",
          "EndPoint": "https://api.rollbar.com/api/1/",
          "AccessToken": "myRollbarToken"
        }
      },
      "RollbarTelemetryOptions": {
        "TelemetryAutoCollectionInterval": "00:00:00",
        "TelemetryEnabled": false,
        "TelemetryQueueDepth": 5,
        "TelemetryAutoCollectionTypes": "None"
      },
      "RollbarOfflineStoreOptions": {
        "EnableLocalPayloadStore": false,
        "LocalPayloadStoreLocationPath": "/Users/someUser/.local/share",
        "LocalPayloadStoreFileName": "RollbarPayloadsStore.db"
      },
      "RollbarInfrastructureOptions": {
        "CaptureUncaughtExceptions": true,
        "ReportingQueueDepth": 20,
        "PayloadPostTimeout": "00:00:30",
        "MaxItems": 10,
        "MaxReportsPerMinute": null
      }
    },
    "name": "Rollbar.NET (Rollbar.Net Notifier SDK)",
    "configured_options": {
      "RollbarPayloadAdditionOptions": {
        "Person": null,
        "CodeVersion": null,
        "Server": null
      },
      "HttpProxyOptions": {
        "ProxyAddress": null,
        "ProxyUsername": null,
        "ProxyPassword": null
      },
      "RollbarDeveloperOptions": {
        "WrapReportedExceptionWithRollbarException": true,
        "LogLevel": "debug",
        "RethrowExceptionsAfterReporting": false,
        "Enabled": true,
        "PayloadPostTimeout": "00:00:30",
        "Transmit": true
      },
      "RollbarDataSecurityOptions": {
        "IpAddressCollectionPolicy": "Collect",
        "PersonDataCollectionPolicies": "None",
        "ScrubSafelistFields": [],
        "ScrubFields": [
          "Password",
          "passwd",
          "confirm_password",
          "password_confirmation",
          "accessToken",
          "auth_token",
          "authentication",
          "secret"
        ]
      },
      "RollbarDestinationOptions": {
        "Environment": "myEnv",
        "EndPoint": "https://api.rollbar.com/api/1/",
        "AccessToken": "myRollbarToken"
      }
    }
  },
  "metadata": {
    "customer_timestamp": 1687426305
  }
}

I would expect with the above that this is excessive and also exposing token is not ideal. I tried to scrub notifier property but it then generated a different rollbar, API error: Invalid format. data.notifier should be object.

Is this output to be expected? Is there anyway I can minify it?

beeradmoore commented 9 months ago

@rollbar-bborsits , sorry for the tag, but is there any way to minify this, and also exclude our access token existing in rollbar items. Not sure if this is normal that rollbar token is visible in data on the dashboard, especially with the incident that happened recently.

I'll try logging with ignoring AccessToken not just accessToken as maybe its case sensitive.

ghost commented 9 months ago

Hey @beeradmoore, No worries. I'm sorry for the late response. I was on holiday. Can you open a support ticket here? As this is a security-related question, we might need to clarify more details.

beeradmoore commented 9 months ago

No worries. That is now sent through. Ticket number is 56346.

beeradmoore commented 3 months ago

@csaba-ilonka-rollbar , did this not go out as a nuget update?

csaba-ilonka-rollbar commented 3 months ago

did this not go out as a nuget update?

@beeradmoore you are right, sorry about that. I just published v5.2.2 on NuGet.