lucasgonze
commented
2 years ago Closing in favor of https://github.com/sirupsen/logrus/issues/1307
Closed lucasgonze closed 2 years ago
lucasgonze
commented
2 years ago Closing in favor of https://github.com/sirupsen/logrus/issues/1307
There are a number of potential attacks involving logs. They can be mitigated through sanitization. Users of the logrus package (and others) can sanitize data before passing it to logrus, but the broad spread of calls into the logging package means sanitization will sometimes be missed.
Compare the verbosity of
logger.Infof("Request %s %v %s\n", method, url.Path, extraReqInfo)withlogger.Infof("Request %s %v %s\n",sanitize(method), sanitize(url.Path), sanitize(extraReqInfo))...and consider how many log statements are created during the debugging process.
If sanitization is built into the logging package - for example in the form of a callback function provided as a configuration parameter - then security will be enhanced.