Skip to content

fix(security): change default log level from Trace to Info (SEC-003)#72

Open
abyssbugg wants to merge 1 commit into
mainfrom
program-s/pr-s3-log-level
Open

fix(security): change default log level from Trace to Info (SEC-003)#72
abyssbugg wants to merge 1 commit into
mainfrom
program-s/pr-s3-log-level

Conversation

@abyssbugg

@abyssbugg abyssbugg commented Jul 10, 2026

Copy link
Copy Markdown
Owner

Summary

Fixes #64 — changes the default log level from Trace to Info to reduce the risk of sensitive data leaking into log files.

Finding

SEC-003 (CWE-532, LOW): lib.rs:436 set the default log level to Trace (all levels captured). While redaction is comprehensive, Trace level writes HTTP request/response previews, keychain operations, and env var reads. New patterns could leak.

Reclassification note: The original report classified this as a vulnerability. Ground-truth verification found a comment at lib.rs:436 documenting this as an intentional design decision with tray-menu runtime filter control. This was reclassified to configuration hardening — the fix is reasonable as long as the runtime tray-menu control still works.

Fix

Changed .level(log::LevelFilter::Trace) to .level(log::LevelFilter::Info) and updated the comment to clarify that the tray menu can still raise verbosity to Trace for debugging.

Verification

  • The tray-menu log-level control uses tauri-plugin-log runtime level changes, which override the initial default. Debugging capability is preserved.
  • cargo test ✅ 164 passed, 0 failed

Regression Risk

Low — runtime tray control preserved. Debugging capability unchanged; only the initial default shifts from Trace to Info. Users who need Trace can still enable it via the tray menu.


Summary by cubic

Set the default log level to Info (was Trace) to reduce the chance of sensitive data leaking into logs, addressing SEC-003. The tray menu still lets users raise the runtime level to Trace for debugging.

Written for commit 8f2bd35. Summary will update on new commits.

Review in cubic

Summary by Sourcery

Enhancements:

  • Adjust logging configuration to use Info as the initial log level and clarify the tray-menu behavior in the associated comment.

@abyssbugg abyssbugg added security Security finding or hardening program-s Program S — Security Hardening labels Jul 10, 2026
@qodo-code-review

Copy link
Copy Markdown

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@abyssbugg, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 47 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 2c1ec47f-b3a9-4de7-af17-2c58134ffde0

📥 Commits

Reviewing files that changed from the base of the PR and between 6fd9421 and 8f2bd35.

📒 Files selected for processing (1)
  • src-tauri/src/lib.rs
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch program-s/pr-s3-log-level

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@sourcery-ai

sourcery-ai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Adjusts the application’s default logging configuration to reduce sensitive data exposure while preserving runtime log-level control via the tray menu.

Sequence diagram for default log level and tray-menu override

sequenceDiagram
    participant App
    participant TauriPluginLog
    actor TrayMenu

    App->>TauriPluginLog: Builder.level(LevelFilter_Info)
    App->>TauriPluginLog: Builder.level_for("hyper", LevelFilter_Warn)
    App->>TauriPluginLog: Builder.level_for("reqwest", LevelFilter_Warn)
    App->>TauriPluginLog: Builder.level_for("tao", LevelFilter_Info)
    note over TauriPluginLog: Logging starts with default Info level

    TrayMenu->>TauriPluginLog: set_log_level(LevelFilter_Trace)
    note over TauriPluginLog: Runtime log level raised to Trace for debugging
Loading

File-Level Changes

Change Details Files
Change default application log level from Trace to Info while keeping tray-menu runtime overrides intact.
  • Update logger initialization to use Info as the default LevelFilter instead of Trace
  • Clarify inline comment to document that the tray menu can still raise log level to Trace for debugging
src-tauri/src/lib.rs

Assessment against linked issues

Issue Objective Addressed Explanation
#64 Change the default log level in src-tauri/src/lib.rs from Trace to Info to harden configuration.
#64 Update logging configuration/documentation comments to reflect the new Info default while noting that the tray-menu log-level control can still raise verbosity (e.g., to Trace) at runtime.

Possibly linked issues


Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

Re-trigger cubic

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've reviewed your changes and they look great!


Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

program-s Program S — Security Hardening security Security finding or hardening

Projects

None yet

Development

Successfully merging this pull request may close these issues.

SEC-003: Default log level Trace (reclassified to configuration hardening)

1 participant