Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent instance methods of auth tokens from getting called in logging args #2113

Merged
merged 9 commits into from
Mar 16, 2022
Merged

Prevent instance methods of auth tokens from getting called in logging args #2113

merged 9 commits into from
Mar 16, 2022

Conversation

fawind
Copy link
Contributor

@fawind fawind commented Mar 16, 2022

Before this PR

Something like this would not get flagged by the existing error-prone check:

void myMethod(AuthHeader header) {
    log.info("msg", SafeArg.of("h", header.toString()));
}

After this PR

Instead of just checking that the type of the safe arg parameter is not an auth token, we can also verify that it is not the invocation of a method of an auth token.

Note that this only catches simple cases and can't handle indirections, e.g. header.toString() being called elsewhere and passed down to the arg.

==COMMIT_MSG==
Prevent instance methods of auth tokens from getting called in logging args
==COMMIT_MSG==

@fawind fawind requested a review from carterkozak March 16, 2022 13:58
@changelog-app
Copy link

changelog-app bot commented Mar 16, 2022
edited by carterkozak

Generate changelog in changelog/@unreleased

Type

  • Feature
  • Improvement
  • Fix
  • Break
  • Deprecation
  • Manual task
  • Migration

Description

Prevent instance methods of auth tokens from getting called in logging args

Check the box to generate changelog(s)

  • Generate changelog entry

@policy-bot policy-bot bot requested a review from CRogers March 16, 2022 14:02
carterkozak
carterkozak approved these changes Mar 16, 2022
View reviewed changes
Copy link
Contributor

@carterkozak carterkozak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks!

@fawind
Copy link
Contributor Author

fawind commented Mar 16, 2022

👍

@bulldozer-bot bulldozer-bot bot merged commit d082f59 into develop Mar 16, 2022
@bulldozer-bot bulldozer-bot bot deleted the fw/token-to-string-logging branch March 16, 2022 14:25
@svc-autorelease
Copy link
Collaborator

Released 4.76.0

This was referenced Mar 16, 2022
Merged
Merged
Merged
Merged
Merged
Merged
Merged
This was referenced Mar 16, 2022
Merged
Closed
Merged
Merged
Merged
Closed
Open
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Open
Merged
Merged
Merged
Merged
Merged
Merged
Closed
bulldozer-bot bot pushed a commit to palantir/witchcraft-api that referenced this pull request Mar 16, 2022
@svc-excavator-bot
Excavator: Upgrades Baseline to the latest version (#452)
65c99ee 
###### _excavator_ is a bot for automating changes across repositories.

Changes produced by the roomba/latest-baseline-oss check.

# Release Notes
## 4.76.0
| Type | Description | Link |
| ---- | ----------- | ---- |
| Improvement | Prevent instance methods of auth tokens from getting called in logging args | palantir/gradle-baseline#2113 |



To enable or disable this check, please contact the maintainers of Excavator.
@svc-excavator-bot svc-excavator-bot mentioned this pull request May 3, 2022
Merged
@svc-excavator-bot svc-excavator-bot mentioned this pull request Jun 2, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@carterkozak carterkozak carterkozak approved these changes

@CRogers CRogers Awaiting requested review from CRogers

Assignees
No one assigned
Labels
autorelease merge when ready
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@fawind @svc-autorelease @carterkozak @svc-changelog