search

serilog-contrib / Serilog.Enrichers.Sensitive

A Serilog LogEvent enricher that masks sensitive data
MIT License
111 stars 23 forks source link

Require Explicitly initialize Email regex mask operator #9

Closed Eliemer closed 1 year ago

Eliemer commented 1 year ago

I do not intend to mask emails in my logs, only using MaskProperties, but this enricher masks emails by default. I also don't have an option to opt-out of this operator either.

The issue im having is I have a property that can sometimes be a valid email address but its not required to be. Its simply a human-readable identifier. In the cases that it is an email address, this enricher is masking that value

// Configures Serilog: sinks and enrichers go here
let initializeLogging (configuration: IConfigurationRoot) =
    Log.Logger <-
        LoggerConfiguration()
            // read from Serilog section of json config files
            .ReadFrom
            .Configuration(
                configuration
            )
            .Enrich
            // FIX: this constructor automatically adds Email regex matching everywhere
            .WithSensitiveDataMasking(
                // these properties will always be masked if they are present.
                // the field names are case insensitive
                Action<SensitiveDataEnricherOptions>(fun opts -> opts.MaskProperties.AddRange([ "Secrets"; "Password" ]))
            )
            .Destructure.FSharpTypes()
            .CreateLogger()
Eliemer commented 1 year ago

as an aside, maybe we can also add NeverMaskProperties to exclude properties from regex operators that may match it

sandermvanvliet commented 1 year ago

You can configure the enricher to only mask a specific property and ignore the rest like so:

new LoggerConfiguration()
    .Enrich
    .WithSensitiveDataMasking(
        options =>
        {
            options.MaskingOperators.Clear();
            options.MaskProperties.AddRange([ "Secrets"; "Password" ]);
        });

That will remove all the default masking operators and always mask the Secrets and Password properties.

I don’t have a computer handy here to test so while I think this works it might not 😉

sandermvanvliet commented 1 year ago

as an aside, maybe we can also add NeverMaskProperties to exclude properties from regex operators that may match it

Good suggestion 👍 I’ll include this in the next release

sandermvanvliet commented 1 year ago

I've decided to not change the behavior of the configuration just yet as that would break usage if you already have implemented the package in your app. Suddenly the masking would not be active anymore and that's a surprise I don't want to spring on users.

In the meantime, if you don't want the default masking operators (or basically, good practice anyway) you should indicate the list of masking operators that are relevant to your application like so:

new LoggerConfiguration()
    .Enrich
    .WithSensitiveDataMasking(
        options =>
        {
            options.MaskingOperators = new List<IMaskingOperator> 
            {
                new EmailAddressMaskingOperator(),
                new IbanMaskingOperator()
                // etc etc
            };
        });

I've updated the README to reflect this.

In the meantime I've also added a ExcludeProperties option which you can use to exclude properties from masking even if their values would match a masking operator.