Skip to content
This repository has been archived by the owner. It is now read-only.

Is the Express-PouchDB logger leaking potentially private data? #52

Open
yaronyg opened this issue Jul 28, 2015 · 2 comments
Open

Is the Express-PouchDB logger leaking potentially private data? #52

yaronyg opened this issue Jul 28, 2015 · 2 comments
Labels
Milestone

Comments

@yaronyg
Copy link
Member

@yaronyg yaronyg commented Jul 28, 2015

The logger built into Express-PouchDB logs things like IP addresses, methods, request params, headers and status codes. It's not clear if all of this is potentially a data leakage scenario where it's info we shouldn't really be keeping.

@yaronyg yaronyg added the Security label Jul 28, 2015
@yaronyg yaronyg added the 1 - Backlog label Nov 18, 2015
@yaronyg yaronyg added 0 - Icebox and removed 1 - Backlog labels Jan 5, 2016
@yaronyg yaronyg added the Icebox label Feb 9, 2016
@yaronyg yaronyg added this to the V1 milestone Aug 3, 2016
@yaronyg yaronyg added 1 - Backlog and removed 0 - Icebox labels Aug 4, 2016
@mohlsen
Copy link
Member

@mohlsen mohlsen commented Aug 19, 2016

looks like the majority of the logging is only when the log level is set to debug. I assume this configuration would not be used in production. Is this really a concern?

@yaronyg
Copy link
Member Author

@yaronyg yaronyg commented Aug 22, 2016

This bug checks a few things:

  1. What are we setting our logging to?
  2. Checking that whatever logging level we are set to doesn't leak any data.
    The really worrisome issue is - what do we do about future changes in logging in Express-PouchdB? Do we audit ever time we get a version increase?
@yaronyg yaronyg added bug Node and removed 1 - Backlog labels Oct 6, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants