log/slog: JSONHandler should deduplicate keys #59365
Comments
seankhliao
changed the title
seankhliao
added
the
NeedsInvestigation
|
Whatever solution is chosen here, I would argue that it should work even if the user explicitly provides duplicate names: logger.LogAttrs(
context.Background(),
slog.LevelWarn,
"fancy message",
slog.String("duplicate", "alpha"),
slog.String("duplicate", "bravo"),
slog.String("duplicate", "charlie"),
slog.String("duplicate", "delta"),
slog.String("duplicate", "echo"),
)One possible solution is to use a "#%d" scheme similar to how {
"time": "2023-04-01T04:27:46.0959443-06:00",
"level": "WARN",
"msg": "fancy message",
"duplicate": "alpha",
"duplicate#01": "bravo",
"duplicate#02": "charlie",
"duplicate#03": "delta",
"duplicate#04": "echo",
} |
|
I think the current situation is fine, duplicate keys aren't invalid, just less interoperable. As for the original issue, I'll note that option 3 was why WithGroup was added (though this doesn't affect deduplication in general). |
Technically you are correct. Under RFC 8259, section 4, duplicate names are essentially treated as undefined behavior. In a possible future major version of "encoding/json", we will likely make duplicate keys an explicit error (which is still complaint behavior with RFC 8259) as this lack of checking has been exploited, resulting in severe security vulnerabilities (e.g., CVE-2017-12635). It's unlikely that duplicate names will have such drastic security implications in logging, but strict checking of duplicate names is likely the overall direction that JSON will gradually move towards. As an aside, Tim Bray, the author of RFC 8259 actually recommends against naïve compliance with RFC 8259, but rather that implementations adhere to RFC 7493 which makes strict decisions on issues that RFC 8259 leaves as undefined. |
|
I think it's important to understand whether encoding/json v2 with its currently proposed semantics is likely to be the accepted version. We should probably align slog with those semantics, even if slog appears in Go before encoding/json v2. We're already doing that for formatting NaNs, infinities and, probably, durations (#59345). For this issue, if we think no dups will be the default for encoding/json v2, then I wouldn't be opposed to making it the default in slog and adding an |
That I can't really answer unfortunately. We haven't even started the GitHub discussion on anything related to v2 "encoding/json" and may not be ready to do so for some months. A significant piece of work that remains is figuring out the inter-compatibility story between v1 and a hypothetical v2. That's perhaps the hardest part and requires quite a lot of head-scratching. That said, if there is a v2 "encoding/json", I feel like the security arguments for rejecting duplicate names by default is pretty compelling. The (very) tentative plan for v2 is that v1 "encoding/json" will actually be implemented in terms of v2 with the appropriate number of options specified that makes it behave semantically identically to what v1 "json" does today. Essentially, with the appropriate set of options, you can configure the semantics to be any hybrid mix that is in-between the default behavior of v1 and the default behavior of v2. Since "log/slog" already depends on the v1 semantics of "encoding/json", you could imagine doing nothing to address this issue for now. I don't think we should block adoption of "slog" on a hypothetical v2 "json". Nor should we overly massage the output of "slog" to match a hypothetical v2 "json". Supposing v2 "json" one day lands, you could imagine that v2 "json" be integrated into "slog" by exposing something like: package slog
type HandlerOptions struct {
// JSONOptions is a list of Option
// that configures how JSON is marshaled.
JSONOptions []json.Option
}To log each message, "slog" would do something like: // Start with DefaultV1Options since "slog" has historically
// marshaled with mostly v1 semantics by default.
opts := []json.Option{json.DefaultV1Options}
// We have historically specified Encoder.SetEscapeHTML(false).
// By passing a nil escape function, we achieve the same behavior.
opts = append(opts, json.EscapeRune(nil))
// Append any user-specified options,
// which will override any previously set options.
opts = append(opts, h.opts.JSONOptions...)
return json.Marshal(v, opts...)(You'll note that the options API for "json" above is different than what currently exists in "go-json-experiment/json". I mentioned elsewhere in #59339 that we're considering switching to variadic options as we see it as one of the ways to resolve the v1-to-v2 compatibility tensions). Thus, for someone to use v2 "json" with "slog", they would do something like: slog.HandlerOptions{
JSONOptions: []json.Option{json.DefaultV2Options},
}.NewJSONHandler(...)I should also note that You could also simplify the above by providing One could imagine that "slog" inspects
|
|
Thanks, @dsnet, that makes a lot of sense. |
|
It would be very unexpected if repeated calls to Log with the same key Structured logging defines a concept of a log event which is conceptually above any specific encoding like JSON or logfmt or et cetera. That concept of a log event is well-defined by convention, and that definition doesn't accommodate repeated keys. |
Possibly, but there are no good answers when it comes to duplicate names. It would be nice if the API made it statically impossible to have duplicates, Given the possibility of runtime duplicates, your options are:
With option 1, you risk the log parser later not being able to read the message entirely or accurately. Duplicate names result in undefined behavior where the parser might ignore duplicates, only use the first one, only use the last one, or use some merged form of all duplicates. With option 2, you avoid any ambiguities when reading, but are subtly dropping information when writing. With option 3, you avoid any ambiguities as to the meaning when reading, but are changing the meaning when writing. At least the meaning when reading is consistent across all parsers. Option 4a is decent as it allows the caller to at least realize that they're possibly holding the API wrong, but I suspect most people will not check the error of logging calls. Of all the bad options, option 4a with either 1 or 3 is probably the best approach. |
|
Option 2 is pretty clearly the correct choice.
I'm not sure why anyone would expect a structured logging library to never discard information. Emitting multiple structured log events with the same key is pretty clearly going to resolve to a single "winner" for that key, most likely the last event, but really any event would be acceptably valid. |
That's a matter of opinion. Just as how you find option 3 an odd position, I find option 2 an odd position. Every option has pros and cons.
Any value passed to |
|
Values passed to a structured logging library necessarily include a key which is, by definition, understood as unique within the target log event. So, no: it's definitely not the case that calling a structured logging method like LogAttrs can be assumed to produce any specific log output. Structured logging is, hopefully obviously, not equivalent to log.Printf, or fmt.Printf, or anything like that. |
|
@dsnet For option 4, how would an error be reported? A separate log line at warning level, or some out-of-band channel or something? Personally I would have probably expected option 2, where the latest value wins (except that the Message, Time, Level, and Source fields would always win over any Attribute values). My preferences, would probably be: option 1 would break a lot of log aggregation systems |
By technical definition, I agree. However, in practice, duplicates often occur due to human error. If I make a mistake, I would rather still have all duplicates logged (whether with option 1 or 3). As an aside, we should definitely create a vet check that detects accidental duplicate names.
I was thinking of an explicit error returned by |
I'm not sure how to evaluate whether or not a particular mistake made by consumers of an API is common enough to warrant changing the API to accommodate that mistake. Especially so if that change would violate the intuitive expectations of the API, as is the case here. |
I agree, I think a map is at least very close to the ideal data structure here. Regarding performance, the current implementation of type Buffer []byteIt's possible to also pool a type Buffer struct{
buf []byte
keys map[string]bool
group []string
}On freeing the
A contrasting approach: I think a
(I really don't have any opinion on what's necessary here - I don't see much need for deduplication personally, prior art in structured logging in Go doesn't deduplicate AFAIK, and yet the the arguments for deduplication seem pretty reasonable) |
Would that be able to detect duplicates in sub-packages though? I feel like the most common occurrence of duplicates will be adding attributes and telemetry before passing the logger down to libraries or other sub-packages.
Right now, errors coming from Handler are discarded by the most common slog methods (ie: Info, WarnCtx, etc). I certainly wouldn't want to change the signature of Info, WarnCtx, etc, to include returning the error. I suppose it is possible to use a middleware type handler that captures and does something with errors, but that wouldn't be something people would use by default. |
Depends on the complexity of call-tracking. This is a similar problem as vet checks for |
|
One option might be to rename duplicated keys to |
|
Another argument against option 2 (which discards data) is security. If untrusted input is able affect what names are present, then that can be used as a mechanism to hide malicious activity, knowing that it will not be logged. IMO, it seems better for readers to possibly choke on the malformed messages, than for the malicious activity to not be properly logged. An human investigator looking at the malformed message can see the duplicate shenanigan at play. |
|
There are many additional (and unavoidable) security concerns in a structured logging API beyond this one, often related to how values are rendered. It is always an error to pass untrusted input to a structured logger directly. |
Like what? The other security issue I can imagine is a DOS attack where you're tricked into logging something massive, but that's a distinctly different class of security issue from being able to hide activity or perform remote-code-execution.
I'm not sure I understand. Suppose we used a Go map such that you did something like: slog.Info(map[string]any{
"msg": "my wonderful message",
"other": "something else",
})Yes, you get the benefit of static compilation preventing duplicate map keys (although it can't check the implicit "time" and "level" keys). However, I'm missing the part where the pool helps out. When |
I don't think we need to input maps to achieve option (2) or (3), I think I should clarify. This technique doesn't involve any change that isn't internal to This map can be populated with keys visited when the handler traverses the attributes of the record, writing to output. A couple of quirks are that the traversal is made more interesting and dynamic by things like group Attrs, If this map is populated with visited keys, we can detect whether some key has been committed previously in the log line, and trigger behavior option (2) or (3) as a result. Big picture, I'm not enthusiastic about this as a solution, but I was surprised that it seemed more performant than I would've guessed. |
Consider a type which renders in one way in some version X, and a different (and richer) way in a subsequent version Y. Consider the case where that change results in sensitive information from that type which was previously not logged becoming logged. This happens easily if the type grows a new sensitive field in a new version. Such changes are in practice never considered breaking in terms of versioning. A downstream application which logs a value of that type will have one behavior if it includes version X of the relevant package, and a different behavior when it includes version Y, and that version upgrade is in practice never going to be noticed, or tested, by the downstream application. Printf based logging does not generally have this problem, because it is not conventional to pass values directly as a Printf log arguments. |
|
fwiw we once used a database driver that logged our database password in plain text when in debug mode, using regular old Printf (it was patched right away) I don't really see any security issues with structured logging that don't already exist with regular logging. And its not like this is log4j and we are executing the statements in the logs or trying resolve remote xml or something. If the data is strings, the worst case I can think of is accidental logging of sensitive data. |
|
A few points: @veqryn's specific problem, duplicate "source" keys, will be easy to resolve with a ReplaceAttr function once #59280 is approved. You can then distinguish a "source" attribute that comes from the handler by seeing if the value is a In general, if you don't like duplicate keys, you can write a wrapping Handler. That can return an error if you like, but it's worth remembering that logging is often the last resort for debugging in the wild. If you've ever been in a position where you can't debug because you have a picky logger that refuses to output everything it has, you know how frustrating that can be, and how happily you'd jettison your principles of careful error detection and failing fast for just a few more characters on the screen. This isn't a proposal, but if it were I'd vote to decline. We can always add dedup functionality later (though not as the default, it's true). As for json v2 compatibility, @dsnet has provided a good blueprint for how to achieve that when the time comes. But you go into the standard library with the packages you have, not the packages you wish you had. |
|
What if the fields are changed to dupe.1 dupe.2 etc but to keep it from going unnoticed there’s a new field added with a canonical name like “duplicated-fields”: [“dupe”] and if you see anything called duplicated-fields in your logs you know to go figure out what’s misconfigured. |
What version of Go are you using (
go version)?8edcddd
Does this issue reproduce with the latest release?
yes
What did you do?
What did you expect to see?
JSONHandler should be fixed by deduplicating those special keys (time, message, level, and source).
I use "source" as a key in a lot of my code right now, so I'd run into this problem.
Either
{ "time": "2023-04-01T04:27:46.0959443-06:00", "level": "WARN", "msg": "fancy message", "my attr": "something" }Or
{ "time": "2023-04-01T04:27:46.0959443-06:00", "level": "WARN", "msg": "fancy message", "msg.msg": false, "my attr": "something" }Or
{ "time": "2023-04-01T04:27:46.0959443-06:00", "level": "WARN", "msg": "fancy message", "fields": { "msg": false, "my attr": "something" } }Or
{ "time": "2023-04-01T04:27:46.0959443-06:00", "level": "WARN", "msg": "fancy message", "msg#01": false, "my attr": "something" }What did you see instead?
Invalid json. It would break our log aggregation. Default/Builtin handlers should never create invalid output.
{ "time": "2023-04-01T04:27:46.0959443-06:00", "level": "WARN", "msg": "fancy message", "msg": false, "my attr": "something" }@jba
The text was updated successfully, but these errors were encountered: