Document user information disclosure in output #27
Description
Problem
Default configuration includes user information (username, UID) in output, which could be sensitive in environments where logs are publicly exposed.
Current Behavior
Default template includes:
prefix:
template: "[{{.Timestamp}}] {{.Level}} {{.User}}@{{.PID}}: "Example output:
[2024-01-15 14:30:00] ERROR alice@12345: Database connection failed
Information disclosed:
- Username:
alice - User ID (UID): Available via template variable
- Process ID:
12345
Potential Security Concerns
1. CI/CD Logs
# GitHub Actions public logs show:
[2024-01-15 14:30:00] INFO runner@67890: Deploying to productionIssue: Exposes runner username/system info
2. Shared Dashboards
# Splunk/ELK dashboard accessible to all team members
[2024-01-15 14:30:00] DEBUG john@11223: Processing credit card ****1234Issue: Associates sensitive operations with specific users
3. Error Logs in Bug Reports
Please include logs:
[2024-01-15 14:30:00] ERROR admin@99999: Failed to connect to internal-db-prod.company.local
Issue: Exposes internal hostnames, admin usernames
Current Mitigation
Users can already disable user/PID information:
Option 1: Template without user/PID
logwrap --template '[{{.Timestamp}}] {{.Level}}: ' -- mycommandOption 2: Config file
prefix:
template: "[{{.Timestamp}}] {{.Level}}: "
user:
enabled: false
pid:
enabled: falseProposed Documentation
Add Security Section to README
## Security Considerations
### Information Disclosure
LogWrap's default configuration includes user and process information in output:
[2024-01-15 14:30:00] INFO alice@12345: Application started
^^^^^ ^^^^^
username PID
**When this matters:**
- CI/CD logs exposed publicly (GitHub Actions, GitLab CI)
- Logs sent to shared dashboards (Splunk, ELK, Datadog)
- Error logs included in bug reports
- Logs stored in cloud services
**How to disable:**
**CLI:**
```bash
# Use template without user/PID variables
logwrap --template '[{{.Timestamp}}] {{.Level}}: ' -- command
Config file:
prefix:
template: "[{{.Timestamp}}] {{.Level}}: "OR disable in config:
prefix:
user:
enabled: false
pid:
enabled: falseBest Practices
- Review template before public logging
- Use minimal templates in CI/CD
- Sanitize logs before sharing externally
- Consider log retention policies
#### Add Warning to Default Config
```yaml
# config.yaml (example)
prefix:
# WARNING: Default template includes username and PID.
# Review before using in public/shared environments.
# For CI/CD, consider: "[{{.Timestamp}}] {{.Level}}: "
template: "[{{.Timestamp}}] {{.Level}} {{.User}}@{{.PID}}: "
Add to godoc
// pkg/formatter/formatter.go
// Template Variables:
//
// Security Note: Some variables may expose sensitive information:
// - {{.User}}: Current username (consider privacy implications)
// - {{.UID}}: User ID (internal system information)
// - {{.PID}}: Process ID (system information)
//
// For public or shared logging environments, use minimal templates:
// template: "[{{.Timestamp}}] {{.Level}}: "Implementation Checklist
High Priority:
- Add security section to README.md
- Add warning comment to example config files
- Document in package godoc
Medium Priority:
- Add security note to CLI --help output
- Update CLAUDE.md with security guidance
- Add example "public logging" config
Nice to Have:
- Add --public-safe flag with minimal template
- Warn if user/PID in template when writing to files
- Add security scanning to CI
Example "Public Safe" Template
Add to examples/:
# examples/public-safe.yaml
# Configuration safe for public/shared logging environments
prefix:
template: "[{{.Timestamp}}] {{.Level}}: "
timestamp:
enabled: true
format: "%Y-%m-%dT%H:%M:%S%z" # ISO 8601
timezone: "UTC" # Use UTC for consistency
# Explicitly disable user/PID
user:
enabled: false
pid:
enabled: false
output:
format: "json" # Structured for log aggregation
log_level:
default: "INFO"
detection:
enabled: trueUsage:
logwrap -config examples/public-safe.yaml -- mycommandRelated Issues
- Improve security documentation and command validation boundaries #10 - Security documentation (cross-reference user info disclosure)
- Add comprehensive package-level documentation #14 - Package documentation (add security notes)
Not a Bug, But...
This is not a security vulnerability because:
- User has full control over template
- Information is about the user running the command
- No privilege escalation or data leak
However, it's a privacy/disclosure concern that should be:
- Clearly documented
- Easy to disable
- Highlighted in examples
References
- OWASP Logging Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
- CWE-532: Information Exposure Through Log Files: https://cwe.mitre.org/data/definitions/532.html