Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upIs the Express-PouchDB logger leaking potentially private data? #52
Comments
yaronyg
added
the
Security
label
Jul 28, 2015
yaronyg
added
the
1 - Backlog
label
Nov 18, 2015
yaronyg
added
0 - Icebox
and removed
1 - Backlog
labels
Jan 5, 2016
yaronyg
added
the
Icebox
label
Feb 9, 2016
yaronyg
added this to the V1 milestone
Aug 3, 2016
yaronyg
added
1 - Backlog
and removed
0 - Icebox
labels
Aug 4, 2016
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
mohlsen
Aug 19, 2016
Member
looks like the majority of the logging is only when the log level is set to debug. I assume this configuration would not be used in production. Is this really a concern?
|
looks like the majority of the logging is only when the log level is set to debug. I assume this configuration would not be used in production. Is this really a concern? |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
yaronyg
Aug 22, 2016
Member
This bug checks a few things:
- What are we setting our logging to?
- Checking that whatever logging level we are set to doesn't leak any data.
The really worrisome issue is - what do we do about future changes in logging in Express-PouchdB? Do we audit ever time we get a version increase?
|
This bug checks a few things:
|
yaronyg
added
bug
Node
and removed
1 - Backlog
labels
Oct 6, 2016
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
yaronyg commentedJul 28, 2015
•
edited
Edited 1 time
-
yaronyg
edited Oct 6, 2016 (most recent)
The logger built into Express-PouchDB logs things like IP addresses, methods, request params, headers and status codes. It's not clear if all of this is potentially a data leakage scenario where it's info we shouldn't really be keeping.