fix(security): change default log level from Trace to Info (SEC-003)#72
fix(security): change default log level from Trace to Info (SEC-003)#72abyssbugg wants to merge 1 commit into
Conversation
Qodo reviews are paused for this user.Troubleshooting steps vary by plan Learn more → On a Teams plan? Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center? |
|
Warning Review limit reached
Next review available in: 47 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Reviewer's guide (collapsed on small PRs)Reviewer's GuideAdjusts the application’s default logging configuration to reduce sensitive data exposure while preserving runtime log-level control via the tray menu. Sequence diagram for default log level and tray-menu overridesequenceDiagram
participant App
participant TauriPluginLog
actor TrayMenu
App->>TauriPluginLog: Builder.level(LevelFilter_Info)
App->>TauriPluginLog: Builder.level_for("hyper", LevelFilter_Warn)
App->>TauriPluginLog: Builder.level_for("reqwest", LevelFilter_Warn)
App->>TauriPluginLog: Builder.level_for("tao", LevelFilter_Info)
note over TauriPluginLog: Logging starts with default Info level
TrayMenu->>TauriPluginLog: set_log_level(LevelFilter_Trace)
note over TauriPluginLog: Runtime log level raised to Trace for debugging
File-Level Changes
Assessment against linked issues
Possibly linked issues
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
Summary
Fixes #64 — changes the default log level from
TracetoInfoto reduce the risk of sensitive data leaking into log files.Finding
SEC-003 (CWE-532, LOW):
lib.rs:436set the default log level toTrace(all levels captured). While redaction is comprehensive, Trace level writes HTTP request/response previews, keychain operations, and env var reads. New patterns could leak.Reclassification note: The original report classified this as a vulnerability. Ground-truth verification found a comment at
lib.rs:436documenting this as an intentional design decision with tray-menu runtime filter control. This was reclassified to configuration hardening — the fix is reasonable as long as the runtime tray-menu control still works.Fix
Changed
.level(log::LevelFilter::Trace)to.level(log::LevelFilter::Info)and updated the comment to clarify that the tray menu can still raise verbosity to Trace for debugging.Verification
tauri-plugin-logruntime level changes, which override the initial default. Debugging capability is preserved.cargo test✅ 164 passed, 0 failedRegression Risk
Low — runtime tray control preserved. Debugging capability unchanged; only the initial default shifts from Trace to Info. Users who need Trace can still enable it via the tray menu.
Summary by cubic
Set the default log level to
Info(wasTrace) to reduce the chance of sensitive data leaking into logs, addressing SEC-003. The tray menu still lets users raise the runtime level toTracefor debugging.Written for commit 8f2bd35. Summary will update on new commits.
Summary by Sourcery
Enhancements: