Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat: log non-sensitive query param fields in the httpmw logger#19532

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
cstyan merged 3 commits intomainfromcallum/query-param-logging
Aug 26, 2025

Conversation

cstyan
Copy link
Contributor

Blink helped here but it's suggestion was to have a set map of sensitive fields based on predefined constants in various files, such as the api token string names. The map lookup would be faster thanstrings.Contains but would be more likely to lead to edge cases where new sensitive fields/slightly different formatting of a field leads to something sensitive being logged.

We could change back to the map of sensitive field names, or alternatively we could define a map/slice of field names we know we do want to log, such as the params for pagination and overall limits. Personally I would prefer this approach just so we don't need to go in and add new values for each new field we want to log (when we notice it's not present), but it's not a hill I would die on.

@cstyancstyan requested a review fromEmyrkAugust 25, 2025 20:35
@github-actionsGitHub Actions
Copy link

github-actionsbot commentedAug 25, 2025
edited
Loading

All contributors have signed the CLA ✍️ ✅
Posted by theCLA Assistant Lite bot.

Copy link
Member

@EmyrkEmyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Should we only loglimit,page, andoffset?

I think we also need to include oauth query params likestate,client_secret, etc. Coder is adding an OAuth server.

I just feel safer logging an explicit allow set, rather than a deny-list.

@Emyrk
Copy link
Member

Personally I would prefer this approach just so we don't need to go in and add new values for each new field we want to log (when we notice it's not present), but it's not a hill I would die on.

I do hear the argument for this. I still prefer the opt in approach to avoid logging anything that we should not.

@cstyancstyanforce-pushed thecallum/query-param-logging branch from72e60ca to893c00bCompareAugust 25, 2025 22:27
Signed-off-by: Callum Styan <callumstyan@gmail.com>
want to denySigned-off-by: Callum Styan <callumstyan@gmail.com>
Signed-off-by: Callum Styan <callumstyan@gmail.com>
@cstyancstyanforce-pushed thecallum/query-param-logging branch from893c00b toec3f727CompareAugust 26, 2025 17:43
@cstyancstyan merged commitf0cf0ad intomainAug 26, 2025
47 of 48 checks passed
@cstyancstyan deleted the callum/query-param-logging branchAugust 26, 2025 18:14
@github-actionsgithub-actionsbot locked and limited conversation to collaboratorsAug 26, 2025
Sign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.
Reviewers

@EmyrkEmyrkEmyrk approved these changes

Assignees

@cstyancstyan

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

2 participants
@cstyan@Emyrk
[8]ページ先頭
©2009-2025 Movatter.jp