New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Is the Express-PouchDB logger leaking potentially private data? #52

Open
yaronyg opened this Issue Jul 28, 2015 · 2 comments

Comments

Projects
None yet
2 participants
@yaronyg
Member

yaronyg commented Jul 28, 2015

The logger built into Express-PouchDB logs things like IP addresses, methods, request params, headers and status codes. It's not clear if all of this is potentially a data leakage scenario where it's info we shouldn't really be keeping.

@yaronyg yaronyg added the Security label Jul 28, 2015

@yaronyg yaronyg added the 1 - Backlog label Nov 18, 2015

@yaronyg yaronyg added 0 - Icebox and removed 1 - Backlog labels Jan 5, 2016

@yaronyg yaronyg added the Icebox label Feb 9, 2016

@yaronyg yaronyg added this to the V1 milestone Aug 3, 2016

@yaronyg yaronyg added 1 - Backlog and removed 0 - Icebox labels Aug 4, 2016

@mohlsen

This comment has been minimized.

Show comment
Hide comment
@mohlsen

mohlsen Aug 19, 2016

Member

looks like the majority of the logging is only when the log level is set to debug. I assume this configuration would not be used in production. Is this really a concern?

Member

mohlsen commented Aug 19, 2016

looks like the majority of the logging is only when the log level is set to debug. I assume this configuration would not be used in production. Is this really a concern?

@yaronyg

This comment has been minimized.

Show comment
Hide comment
@yaronyg

yaronyg Aug 22, 2016

Member

This bug checks a few things:

  1. What are we setting our logging to?
  2. Checking that whatever logging level we are set to doesn't leak any data.
    The really worrisome issue is - what do we do about future changes in logging in Express-PouchdB? Do we audit ever time we get a version increase?
Member

yaronyg commented Aug 22, 2016

This bug checks a few things:

  1. What are we setting our logging to?
  2. Checking that whatever logging level we are set to doesn't leak any data.
    The really worrisome issue is - what do we do about future changes in logging in Express-PouchdB? Do we audit ever time we get a version increase?

@yaronyg yaronyg added bug Node and removed 1 - Backlog labels Oct 6, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment