Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Review use of user supplied information in logging entries #772

Open
4 tasks
iramiller opened this issue Apr 5, 2022 · 2 comments
Open
4 tasks

Review use of user supplied information in logging entries #772

iramiller opened this issue Apr 5, 2022 · 2 comments
Labels
good first issue Good for newcomers low Low priority
Milestone
backlog

Comments

@iramiller
Copy link
Member

Summary

Recently there have been some concerns over what information a user can submit that will end up directly in a log message. This issue is to review all the fmt.Sprintf usage within errors in the provenanced project and sanitize resulting output where appropriate.

Problem Definition

Users having control over output that is logged in error messages can have unintended consequences and can potentially open up systems to attack. Encoding or otherwise preventing direct control of output based on user inputs is a standard security best practice.

Proposal

Search through the project for uses of fmt.Sprintf. Audit all occurrences for use of user supplied input and remove these instances.

For Admin Use

  • Not duplicate issue
  • Appropriate labels applied
  • Appropriate contributors tagged
  • Contributor assigned/self-assigned
@iramiller iramiller added good first issue Good for newcomers security Security related request/issue labels Apr 5, 2022
@iramiller iramiller added this to the v1.9.0 milestone Apr 5, 2022
@dwedul-figure
Copy link
Contributor

Probably need to include the actual logger calls too: .Debug(, .Info(, .Error(, and .With(.

All output in unit tests should use either t.Log(...) or s.T().Log(...) instead of fmt.Printf or related.

@iramiller iramiller modified the milestones: v1.13.0, v1.14.0 Sep 21, 2022
@iramiller
Copy link
Member Author

@llama-del-rey you might want 👀 on this one

@nullpointer0x00 nullpointer0x00 modified the milestones: v1.14.0, v1.15.0 Jan 23, 2023
@iramiller iramiller moved this from Todo to Backlog in Provenance Core Protocol Team Mar 24, 2023
@iramiller iramiller modified the milestones: v1.15.0, v1.16.0 Mar 24, 2023
@iramiller iramiller modified the milestones: v1.16.0, backlog May 15, 2023
@iramiller iramiller added the low Low priority label Nov 9, 2023
@iramiller iramiller removed the security Security related request/issue label Aug 14, 2024
@SpicyLemon SpicyLemon removed their assignment Oct 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Good for newcomers low Low priority
Projects
Provenance Core Protocol Team
Status: Backlog
Milestone
backlog
Development

No branches or pull requests
4 participants
@iramiller @nullpointer0x00 @SpicyLemon @dwedul-figure