2

I am using a library python-sonarqube-api, which shows a password in debug logs using a logger which I consider a bug.

Until it can be fixed I need to hide the password in the logs. I am considering using a filter but I am not sure how to use it without breaking current structure of all loggers in the software.

Could you suggest me some solution please?

Přemysl Šťastný
  • 1,676
  • 2
  • 18
  • 39
  • 2
    your program could encrypt this info before logging it. And then decrypt it after reading the log. https://stackoverflow.com/questions/27335726/how-do-i-encrypt-and-decrypt-a-string-in-python –  Mar 24 '22 at 11:44
  • @SembeiNorimaki I can't pass encrypted string to library...or at least I don't know how. – Přemysl Šťastný Mar 24 '22 at 11:47
  • In the link I provided, you have some examples on how to encrypt a string. If you can pass a string then you can pass an encrypted version of the string (it's still a string). The only thing to take in account is that you will then need to also provide a decryption method to recover the original data. –  Mar 24 '22 at 11:51
  • @SembeiNorimaki I understand that...but if I have no control how library works in inside, I can't provide any such method. – Přemysl Šťastný Mar 24 '22 at 11:53
  • Alternatively, cant you encrypt the logfile itself after it rotates (if it does that) and then have some sort of security (sorry I dont know how it's setup). :) – Cow Mar 24 '22 at 11:59
  • @user56700 I am using Kibana, Elasticsearch and fluentd...So I think, this is also not a solution. :( – Přemysl Šťastný Mar 24 '22 at 12:01
  • Ouch I guess your bug report is the only solution then. – Cow Mar 24 '22 at 12:02
  • Possible solution: https://relaxdiego.com/2014/07/logging-in-python.html#redacting-logs-using-a-filter – Přemysl Šťastný Mar 24 '22 at 12:32

1 Answers1

1

You can solve this problem using a custom Formatter.

import logging
import re

class SensitiveFormatter(logging.Formatter):
    """Formatter that removes sensitive information in logs."""

    @staticmethod
    def _filter(s):
        # Filter out the password with regex
        # or replace etc.
        # Replace here with your own regex..
        return re.sub(r"ABCDEF", r"<MASKED>", s)

    def format(self, record):
        original = logging.Formatter.format(self, record)  # call parent method
        return self._filter(original)

Then, use it inside your handlers:

# Create the specific logger
mylogger = logging.getLogger("foobar")
mylogger.setLevel(logging.DEBUG)
mylogger.propagate = False

# Create the handler
streamhandler = logging.StreamHandler()
streamhandler.setLevel(logging.INFO)

# Create the specific formatter
sensitive_formatter = SensitiveFormatter(
    fmt="[pid:%(process)d] - %(asctime)s - %(levelname)-8s - %(message).1000s"
)
streamhandler.setFormatter(sensitive_formatter)

mylogger.addHandler(streamhandler)

mylogger.info("This is a password: ABCDEF")

[pid:453381] - 2023-02-07 14:47:56,075 - INFO     - This is a password: <MASKED>
vvvvv
  • 25,404
  • 19
  • 49
  • 81