Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A lot of notifier properties come through when logging a request, including access token. #644

Closed
beeradmoore opened this issue Jun 22, 2023 · 5 comments · Fixed by #646
Closed

A lot of notifier properties come through when logging a request, including access token. #644

beeradmoore opened this issue Jun 22, 2023 · 5 comments · Fixed by #646

Comments

@beeradmoore
Copy link

Describe the bug
A lot of notifier properties come through when logging a request with Rollbar.NET. Comparing to our php project it sends through 2 properties in notifier.*, in our .NET project it sends through 59. Main concern is it also sends through the token.

To Reproduce

  1. Create new project.
  2. Setup a logger like so
var rollbarToken = "myRollbarToken";
var rollbarEnvironment = "myEnv";
var rollbarConfig = new RollbarInfrastructureConfig(
    rollbarToken,
    rollbarEnvironment
);
 RollbarInfrastructure.Instance.Init(rollbarConfig);
  1. Log a message
RollbarLocator.RollbarInstance.AsBlockingLogger(TimeSpan.FromSeconds(5)).LogError(new Exception("test 1"));

Expected behavior
An error event is triggered which tells you about an exception labelled "test 1", and also does not expose my rollbar config.

Screenshots
N/A

Rollbar Client - Rollbar.NET Hosting Environment (please complete the following information):

  • Rollbar.NET Host type: AWS Lambda
  • OS and its version: Linux
  • .NET flavor and its version: .NET 6
  • Rollbar.NET Version: 5.2.0

Additional context
The payload for the event listed in rollbar for the above log would look somethng like this (this was captured via debug on macOS so it may not align 100%, I can fetch the actual result later)

{
  "body": {
    "trace": {
      "frames": [
        {
          ...
        },
        {
            ...
        }
      ],
      "exception": {
        "message": "test 1",
        "class": "System.Exception"
      }
    }
  },
  "uuid": "23921fefsdfjsdi",
  "language": "c#",
  "level": "error",
  "timestamp": 1687390305,
  "custom": {},
  "environment": "myEnv",
  "platform": "....",
  "framework": ".NETCoreApp,Version=v6.0",
  "notifier": {
    "version": "5.2.0",
    "infrastructure_options": {
      "RollbarLoggerConfig": {
        "RollbarPayloadAdditionOptions": {
          "Person": null,
          "CodeVersion": null,
          "Server": null
        },
        "HttpProxyOptions": {
          "ProxyAddress": null,
          "ProxyUsername": null,
          "ProxyPassword": null
        },
        "RollbarDeveloperOptions": {
          "WrapReportedExceptionWithRollbarException": true,
          "LogLevel": "debug",
          "RethrowExceptionsAfterReporting": false,
          "Enabled": true,
          "PayloadPostTimeout": "00:00:30",
          "Transmit": true
        },
        "RollbarDataSecurityOptions": {
          "IpAddressCollectionPolicy": "Collect",
          "PersonDataCollectionPolicies": "None",
          "ScrubSafelistFields": [],
          "ScrubFields": [
            "Password",
            "passwd",
            "confirm_password",
            "password_confirmation",
            "accessToken",
            "auth_token",
            "authentication",
            "secret"
          ]
        },
        "RollbarDestinationOptions": {
          "Environment": "myEnv",
          "EndPoint": "https://api.rollbar.com/api/1/",
          "AccessToken": "myRollbarToken"
        }
      },
      "RollbarTelemetryOptions": {
        "TelemetryAutoCollectionInterval": "00:00:00",
        "TelemetryEnabled": false,
        "TelemetryQueueDepth": 5,
        "TelemetryAutoCollectionTypes": "None"
      },
      "RollbarOfflineStoreOptions": {
        "EnableLocalPayloadStore": false,
        "LocalPayloadStoreLocationPath": "/Users/someUser/.local/share",
        "LocalPayloadStoreFileName": "RollbarPayloadsStore.db"
      },
      "RollbarInfrastructureOptions": {
        "CaptureUncaughtExceptions": true,
        "ReportingQueueDepth": 20,
        "PayloadPostTimeout": "00:00:30",
        "MaxItems": 10,
        "MaxReportsPerMinute": null
      }
    },
    "name": "Rollbar.NET (Rollbar.Net Notifier SDK)",
    "configured_options": {
      "RollbarPayloadAdditionOptions": {
        "Person": null,
        "CodeVersion": null,
        "Server": null
      },
      "HttpProxyOptions": {
        "ProxyAddress": null,
        "ProxyUsername": null,
        "ProxyPassword": null
      },
      "RollbarDeveloperOptions": {
        "WrapReportedExceptionWithRollbarException": true,
        "LogLevel": "debug",
        "RethrowExceptionsAfterReporting": false,
        "Enabled": true,
        "PayloadPostTimeout": "00:00:30",
        "Transmit": true
      },
      "RollbarDataSecurityOptions": {
        "IpAddressCollectionPolicy": "Collect",
        "PersonDataCollectionPolicies": "None",
        "ScrubSafelistFields": [],
        "ScrubFields": [
          "Password",
          "passwd",
          "confirm_password",
          "password_confirmation",
          "accessToken",
          "auth_token",
          "authentication",
          "secret"
        ]
      },
      "RollbarDestinationOptions": {
        "Environment": "myEnv",
        "EndPoint": "https://api.rollbar.com/api/1/",
        "AccessToken": "myRollbarToken"
      }
    }
  },
  "metadata": {
    "customer_timestamp": 1687426305
  }
}

I would expect with the above that this is excessive and also exposing token is not ideal. I tried to scrub notifier property but it then generated a different rollbar, API error: Invalid format. data.notifier should be object.

Is this output to be expected? Is there anyway I can minify it?
@beeradmoore
Copy link
Author

@rollbar-bborsits , sorry for the tag, but is there any way to minify this, and also exclude our access token existing in rollbar items. Not sure if this is normal that rollbar token is visible in data on the dashboard, especially with the incident that happened recently.

I'll try logging with ignoring AccessToken not just accessToken as maybe its case sensitive.

@ghost
Copy link

ghost commented Sep 19, 2023

Hey @beeradmoore, No worries. I'm sorry for the late response. I was on holiday. Can you open a support ticket here? As this is a security-related question, we might need to clarify more details.

@beeradmoore
Copy link
Author

No worries. That is now sent through. Ticket number is 56346.

Merged
12 tasks
csaba-ilonka-rollbar added a commit that referenced this issue Jan 17, 2024
@csaba-ilonka-rollbar
Merge pull request #646 from rollbar/icsaba/add-scrub-fields
75f128c 
fix: resolve #644
@beeradmoore
Copy link
Author

@csaba-ilonka-rollbar , did this not go out as a nuget update?

@csaba-ilonka-rollbar
Copy link
Contributor

did this not go out as a nuget update?

@beeradmoore you are right, sorry about that. I just published v5.2.2 on NuGet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: resolve #644 rollbar/Rollbar.NET
2 participants
@beeradmoore @csaba-ilonka-rollbar