Skip to content

fix(logging): redact sensitive credentials from log output#522

Open
Patrick-Ehimen wants to merge 1 commit into
NethermindEth:mainfrom
Patrick-Ehimen:fix/redact-sensitive-logs
Open

fix(logging): redact sensitive credentials from log output#522
Patrick-Ehimen wants to merge 1 commit into
NethermindEth:mainfrom
Patrick-Ehimen:fix/redact-sensitive-logs

Conversation

@Patrick-Ehimen

Copy link
Copy Markdown

Closes #504

Summary

  • keymanager::Client (eth2util): stores bearer token as Secret<String> (secrecy crate). Derived Debug now prints Secret([REDACTED]) instead of the raw value. expose_secret() is called only at the HTTP header construction site.
  • KeymanagerConfig (dkg): replaces derived Debug with a manual impl that prints <redacted> for auth_token, following the existing LokiConfig pattern in the tracing crate. The field stays String so the bon builder API and CLI arg tests are unchanged.
  • bootnode::resolve_relay (p2p): adds a redact_url() helper that strips embedded userinfo (basic-auth credentials) from relay URLs before they appear in tracing fields.

Test plan

  • cargo test -p pluto-eth2util -- keymanagerclient_debug_redacts_auth_token passes
  • cargo test -p pluto-dkg -- keymanagerkeymanager_config_debug_redacts_auth_token passes
  • cargo test -p pluto-p2p -- bootnode::tests — all 3 redact_url_* tests pass

- Use Secret<String> in keymanager::Client so Debug prints [REDACTED]
- Manual Debug for KeymanagerConfig that redacts auth_token
- redact_url() helper in bootnode strips userinfo before log fields
- Unit tests for each redaction site

@emlautarom1 emlautarom1 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but we could use less code given the expected usages.

Comment thread Cargo.toml
subtle = "2.6"
unicode-normalization = "0.1.25"
zeroize = "1.8.2"
secrecy = "0.8"

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please bump to the latest version

Suggested change
secrecy = "0.8"
secrecy = "0.10"

Comment on lines +153 to +164
fn redact_url(raw: &str) -> String {
let Ok(mut url) = Url::parse(raw) else {
return raw.to_owned();
};
if url.username().is_empty() && url.password().is_none() {
return raw.to_owned();
}
if url.set_username("").is_err() || url.set_password(None).is_err() {
return "<redacted>".to_owned();
}
url.to_string()
}

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Relays do not carry credentials and we do not intend to support such feature. For reference check Charon v1.7.1: https://github.com/ObolNetwork/charon/blob/749d2d7ab0b8ace34f2e686a5af5910c8adb4dc0/p2p/bootnode.go#L155.

@emlautarom1

Copy link
Copy Markdown
Collaborator

Thanks for your contribution! Please take a look at the provided comments so we can proceed with the PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Implement a redact logging

2 participants