[log4perl-devel] Masking secrets in log4perl output

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi,

When using log4perl recently in one of my Web-automation scripts I
asked myself the following question:

Is it possible to use the log4perl appenders, layouts etc. to mask
secret values (passwords) from the log files generated by log4perl ?

For example, I routinely use log4perl to dump the data in web forms
before POSTing them. These forms often contain sensitive user
information and I wouldn't want any of my users to post a log with his
password on some public bugzilla. To this day I have manually filtered
out these secrets using a wrapper function used in sensitive places. I
feel however, that I need a better approach.

As a quick proof-of-concept I simply hacked my own version of the
Multiline appender adding the following code:

--- /usr/lib/perl5/vendor_perl/5.8.8/Log/Log4perl/Layout/PatternLayout/Multiline.pm	2009-12-30
14:27:32.000000000 +0100
+++ lib/Log/Log4perl/Layout/PatternLayout/Masked.pm	2010-02-01
07:24:01.000000000 +0100
@@ -1,8 +1,11 @@
 #!/usr/bin/perl

-package Log::Log4perl::Layout::PatternLayout::Multiline;
+package Log::Log4perl::Layout::PatternLayout::Masked;
 use base qw(Log::Log4perl::Layout::PatternLayout);

+use Log::Log4perl::MDC;
+
+
 ###########################################
 sub render {
 ###########################################
@@ -13,8 +16,15 @@
     $caller_level = 0 unless defined $caller_level;

     my $result;
+    my $secret_list = Log::Log4perl::MDC->get("secrets");

     for my $msg ( @messages ) {
+	# Mask the secret values if needed
+	if ( $secret_list ) {
+	    foreach (keys %{$secret_list}) {
+		$msg =~ s/$_/$secret_list->{$_}/g;
+	    }
+	}
         $result .= $self->SUPER::render(
             $msg, $category, $priority, $caller_level + 1
         );

The "proper" solution however would be to make this feature
independent of the layout and appender used. I have tried to use
filters but unfortunately the filter function cannot change the
contents of the message. I think the best approach would be to allow
the filter function to change the contents of the message by passing a
reference to the message hash instead of a copy.
This of course will break compatibility with existing filters and they
would have to be rewritten. Fortunately, there is not a lot of them in
the Log4perl distribution, I don't know about any external ones.

What do you think about all of this ? I'm willing to write the code &
tests needed to implement this feature properly if there is interest
in it.

Best regards,
Maciej Grela


