Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix #76: Safe exception messages provide argument data #77

Merged
merged 2 commits into from
Oct 30, 2018
Merged

fix #76: Safe exception messages provide argument data #77

merged 2 commits into from
Oct 30, 2018

Conversation

carterkozak
Copy link
Contributor

Only logMessage is redacted.

@carterkozak carterkozak requested a review from a team as a code owner October 29, 2018 18:32
@carterkozak carterkozak force-pushed the ckozak/args_in_exception_message branch from 89e8b66 to ee23917 Compare October 29, 2018 18:36
@carterkozak
Copy link
Contributor Author

fyi @uschi2000 @iamdanfox

dansanduleac
dansanduleac reviewed Oct 30, 2018
View reviewed changes
preconditions/src/main/java/com/palantir/logsafe/exceptions/SafeExceptions.java Outdated
}
}
return sb.append('}')
.toString();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one line

dansanduleac
dansanduleac reviewed Oct 30, 2018
View reviewed changes
preconditions/src/main/java/com/palantir/logsafe/exceptions/SafeExceptions.java Outdated
Arg<?> argument = args[i];
sb.append(argument.getName())
.append("=")
.append(argument.getValue());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one line

dansanduleac
dansanduleac reviewed Oct 30, 2018
View reviewed changes
preconditions/src/main/java/com/palantir/logsafe/exceptions/SafeExceptions.java
.append(argument.getValue());
if (i < args.length - 1) {
sb.append(", ");
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe we should just copy this code from conjure-java-runtime which already does what you want!
https://github.com/palantir/conjure-java-runtime-api/blob/8d23fc7fb11481033ca4867fdb99a93186b108ac/errors/src/main/java/com/palantir/conjure/java/api/errors/ServiceException.java#L95-L117

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(except the first line, but e.g. it avoids printing out : {} in the trivial case where there are no arguments)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@carterkozak
Copy link
Contributor Author

Updated, thanks for the feedback

@dansanduleac dansanduleac merged commit b408ca1 into palantir:develop Oct 30, 2018
@iamdanfox
Copy link
Contributor

@dansanduleac @cakofony I think this PR is not entirely safe because people may have assumed that the message of a SafeRuntimeException is safe to log.

Before this PR, that would have been true because we have baseline-error-prone enforcing that people only write constant messages.

However after this PR, the following snippet could cause a leak because e.getMessage() contains the unsafe arg 'danger':

try {
  throw new SafeRuntimeException("...", UnsafeArg("danger", danger));
  // ...

catch (SafeRuntimeException e) {
	log.info("Ignoring something and retrying", SafeArg.of("message", e.getMessage());
	//                                                                ^ 🔥🔥🔥
    retry();
}

As a compromise, could we just omit all the UnsafeArgs from the exception message and accept that they will just never be visible in logs produced by non-palantir slf4j implementations? Alternatively, I think we need to urgently extend our errorprone checks to prevent the above scenario.

@iamdanfox iamdanfox mentioned this pull request Nov 1, 2018
Closed
@carterkozak
Copy link
Contributor Author

Only including safe args doesn’t provide enough data to debug applications which do not produce sls service logs.

Logging a safe arg of getMessage is strictly worse than using getLogMessage, since only the latter is guaranteed to be safe.

@iamdanfox
Copy link
Contributor

Any chance you could pop an extra errorprone check into baseline then? I think this means we could wholesale ban anyone writing SafeArg.of("...", e.getMessage())

@carterkozak
Copy link
Contributor Author

Sure thing

@carterkozak
Copy link
Contributor Author

@iamdanfox Cheers palantir/gradle-baseline#444
We may also want this in order to differentiate between throwable messages and SafeLoggable log messages in testing: #78

@iamdanfox iamdanfox mentioned this pull request Feb 22, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dansanduleac dansanduleac dansanduleac approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@carterkozak @iamdanfox @dansanduleac