[BUG] deserialization error exposes sensitive values in the logs #1943
Labels
C-bug
Category: Bug
Comments
dracarys18
added
C-bug
SanchithHegde
removed
the
S-awaiting-triage
|
I want to work on this Bug. Can it be assigned to me? |
|
@SanchithHegde I would like to look at this. please can you assign this to me. |
|
Sure, @jeevaprakashdr I've assigned this to you. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Bug Description
When there's a deserialization error from external systems serde exposes even the sensitive values in the logs.
For example a deserialization error from card locker:-
Unable to parse router::core::payment_methods::transformers::GetCardResponse from bytes b\"{\\\"card\\\":{\\\"cardId\\\":\\\"08657065-fa64-abcd\\\",\\\"externalId\\\":\\\"abcdefghijkl\\\",\\\"merchantId\\\":\\\"merchant1\\\",\\\"cardNumber\\\":\\\"121312313131313131\\\",\\\"cardExpYear\\\":\\\"25\\\",\\\"cardExpMonth\\\":\\\"10\\\",\\\"nameOnCard\\\":\\\"name\\\",\\\"cardFingerprint\\\":\\\"2602abcbabcabcabc\\\",\\\"cardGlobalFingerprint\\\":\\\"fafafafafafaf\\\",\\\"nickname\\\":\\\"hyperswitch\\\",\\\"customerId\\\":\\\"Customer123\\\"}}\"\n│\n╰─▶ \u001b[1mnot a valid credit card number at line 1 column 157\u001b[22m\nExpected Behavior
It should ideally mask the values in the logs like
Unable to parse router::core::payment_methods::transformers::GetCardResponse from bytes b\"{\\\"card\\\":{\\\"cardId\\\":\\\"08657065-fa64-abcd\\\",\\\"externalId\\\":\\\"abcdefghijkl\\\",\\\"merchantId\\\":\\\"merchant1\\\",\\\"cardNumber\\\":\\\"*****3131\\\",\\\"cardExpYear\\\":\\\"**\\\",\\\"cardExpMonth\\\":\\\"**\\\",\\\"nameOnCard\\\":\\\"***\\\",\\\"cardFingerprint\\\":\\\"2602abcbabcabcabc\\\",\\\"cardGlobalFingerprint\\\":\\\"fafafafafafaf\\\",\\\"nickname\\\":\\\"hyperswitch\\\",\\\"customerId\\\":\\\"****\\\"}}\"\n│\n╰─▶ \u001b[1mnot a valid credit card number at line 1 column 157\u001b[22m\nActual Behavior
Exposes even the sensitive values in the logs
Steps To Reproduce
Manually insert a wrong value into the database and try to fetch it with application. You will see a parsing error with the values exposed
Context For The Bug
No response
Environment
Are you using hyperswitch hosted version? Yes/No
If yes, please provide the value of the
x-request-idresponse header to help us debug your issue.If not (or if building/running locally), please provide the following details:
rustc --version):1.71.1cargo r --features vergen -- --version):NAHave you spent some time checking if this bug has been raised before?
Have you read the Contributing Guidelines?
Are you willing to submit a PR?
None
The text was updated successfully, but these errors were encountered: