Log more interesting information #72

thriqon · 2022-11-07T08:05:38Z

For our use case, we want do log additional information about a CSP report.

This change should be backwards-compatible:

The path field is new, but in structured logging and in JSON additional fields should not be a problem.
Client IP logging is disabled by default, as client IP is considerered sensitive data. Logging it should be opt-in.
In certain use cases, the query string or the fragment part (if transmitted by the browser) might contain sensitive data, which might no be needed to act on the report. Thus, it shouldn't be logged at all.

From experience, browser sometimes transmit query strings and fragments in the reports. In order to protect sensitive data, this might be harmful.

Allow logging multiple dimensions of meta information in the report URL.

jacobbednarz · 2022-11-09T02:26:58Z

thanks for the PR @thriqon, this looks great. if you can address the failing CI checks, i'm happy to merge this in given it's backwards compatible.

net/netip is not present in 1.17

Package net/netip is missing in default go setup.

thriqon · 2022-11-09T07:42:27Z

I've updated Go at three places, since net/netip is not available in 1.17.

jacobbednarz · 2022-11-09T07:58:37Z

i'm happy supporting 1.18+ (latest minus 2) so using that in CI seems reasonable to me 👍

thriqon · 2022-11-09T08:13:27Z

Removed usage of io/ioutil, replaced with io and os as recommended in the docs.

jacobbednarz · 2022-11-09T22:27:14Z

LGTM to me @thriqon, thanks for your effort getting this one over the line!

thriqon added 13 commits November 4, 2022 11:59

Use log library more consistently

1a73435

Move health check to dedicated function

80e199d

Localize debugFlag

fdd7a9d

Localize outputFormat

978bd08

Localize blockedURIfile

3ac82e9

Localize listenPort

5ad2f64

Localize health check path

649ee94

Restructure Handler as struct

c236c65

Log actually called report URI path

0a6bf00

Optionally truncate query string and fragments from URIs

f64559b

From experience, browser sometimes transmit query strings and fragments in the reports. In order to protect sensitive data, this might be harmful.

Allow logging of (truncated) client IP

397d785

Styling improvements

f147b5c

Parse query parameters as metadata object

a3b08f3

Allow logging multiple dimensions of meta information in the report URL.

thriqon added 2 commits November 9, 2022 08:24

Update go versions

0193d68

net/netip is not present in 1.17

Force go v1.19 in lint step

1ed5155

Package net/netip is missing in default go setup.

Add docs

2a77c0d

Replace io/ioutil (deprecated since 1.16)

53fd214

jacobbednarz merged commit 8e6e1f8 into jacobbednarz:master Nov 9, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Log more interesting information #72

Log more interesting information #72

Uh oh!

thriqon commented Nov 7, 2022

Uh oh!

jacobbednarz commented Nov 9, 2022

Uh oh!

thriqon commented Nov 9, 2022

Uh oh!

jacobbednarz commented Nov 9, 2022

Uh oh!

thriqon commented Nov 9, 2022

Uh oh!

jacobbednarz commented Nov 9, 2022

Uh oh!

Uh oh!

Log more interesting information #72

Log more interesting information #72

Uh oh!

Conversation

thriqon commented Nov 7, 2022

Uh oh!

jacobbednarz commented Nov 9, 2022

Uh oh!

thriqon commented Nov 9, 2022

Uh oh!

jacobbednarz commented Nov 9, 2022

Uh oh!

thriqon commented Nov 9, 2022

Uh oh!

jacobbednarz commented Nov 9, 2022

Uh oh!

Uh oh!