Is the Express-PouchDB logger leaking potentially private data? #52

yaronyg · 2015-07-28T00:42:26Z

The logger built into Express-PouchDB logs things like IP addresses, methods, request params, headers and status codes. It's not clear if all of this is potentially a data leakage scenario where it's info we shouldn't really be keeping.

mohlsen · 2016-08-19T18:08:03Z

looks like the majority of the logging is only when the log level is set to debug. I assume this configuration would not be used in production. Is this really a concern?

yaronyg · 2016-08-22T16:19:59Z

This bug checks a few things:

What are we setting our logging to?
Checking that whatever logging level we are set to doesn't leak any data.
The really worrisome issue is - what do we do about future changes in logging in Express-PouchdB? Do we audit ever time we get a version increase?

yaronyg added the Security label Jul 28, 2015

yaronyg added the 1 - Backlog label Nov 18, 2015

yaronyg added 0 - Icebox and removed 1 - Backlog labels Jan 5, 2016

yaronyg added the Icebox label Feb 9, 2016

yaronyg added this to the V1 milestone Aug 3, 2016

yaronyg added 1 - Backlog and removed 0 - Icebox labels Aug 4, 2016

yaronyg added bug Node and removed 1 - Backlog labels Oct 6, 2016

thaliproject / Thali_CordovaPlugin Archived

Is the Express-PouchDB logger leaking potentially private data? #52

Is the Express-PouchDB logger leaking potentially private data? #52

yaronyg commented Jul 28, 2015 •

edited

mohlsen commented Aug 19, 2016

yaronyg commented Aug 22, 2016

thaliproject / Thali_CordovaPlugin Archived

Is the Express-PouchDB logger leaking potentially private data? #52

Is the Express-PouchDB logger leaking potentially private data? #52

Comments

yaronyg commented Jul 28, 2015 • edited

mohlsen commented Aug 19, 2016

yaronyg commented Aug 22, 2016

yaronyg commented Jul 28, 2015 •

edited