don't log the license key even in debug/audit #2339
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
By default the license key isn't logged given a) the default non-debug log level, and b) the default of not enabling the audit log. While accuracy in those 2 non-default contexts can be useful in general, the inclusion of the license key does not provide much value and can serve to make log data more sensitive than it needs to be. Filter out the license key from all contexts.
fallwith
requested review from
hannahramadan,
kaylareopelle and
tannalynn
as code owners
|
There is actually another area that logs the license key, I'm not sure if you want to include it in this PR, or address it separately, but when in debug level logging, we log all the config values from each source the agent receives, so the license key gets logged that way as well Let me know if there is anything i can help with! |
- Ensure the license key is not reported in the settings hash within the connect payload - Ensure the license key is not debug logged via the 'Updating config...' debug log entry - When filtering out the license key from URIs, use an asterisk based mask
| @@ -3,6 +3,8 @@ | |||
| # frozen_string_literal: true | |||
|
|
|||
| module NewRelic | |||
| ASTERISK = '*' | |||
There was a problem hiding this comment.
Nice! After this PR, let's consider replacing the two places the agent references '*' with this constant.
given the short/simple evaluation involved, perform logic inline as opposed to stored its result in a variable and referencing the variable
SimpleCov Report
|
tannalynn
approved these changes
Dec 1, 2023
kaylareopelle
approved these changes
Dec 1, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
By default the license key isn't logged given a) the default non-debug log level, and b) the default of not enabling the audit log.
While accuracy in those 2 non-default contexts can be useful in general, the inclusion of the license key does not provide much value and can serve to make log data more sensitive than it needs to be.
Filter out the license key from all contexts.