Skip to content

Sensitive filter on logger

Added list of sensitive words to Logger which is part of service.Ctx

As early as possible, add sensitive words, e.g. in this API handler:

func POSTAccountBillingInfo(params struct{}, request UPSERTAccountBillingInfoRequest) (res interface{}, err error) {
	//mark sensitive words to filter out from all logs
	service.Ctx.AddSensitiveWord(request.CreditCardDetails.CardCVV)
	service.Ctx.AddSensitiveWord(request.CreditCardDetails.CardName)
	service.Ctx.AddSensitiveWord(request.CreditCardDetails.CardNumber)

	...

Any use of service.Ctx.Debugf() (or other log levels) will now dilter out those words, as in this example:

2021-11-16 10:12:14 debug nctions/accounts/billing_info_post.go:37| Request: {AccountBillingInfo:{BaseModel:{} ID:45 AccountID:51 Account:<nil> ContactName:Billy ContactEmail:billy@example.com Company:Billy's company CompanyRegNo:BILLY123COMP456R TelNo:0127867860 VatNo:12121234455 Address:*** Billy street, Griffiths Area, WilliamsTown, 1234 LocalArea:Griffiths Area Zone:Gauteng PostalCode:1234 City:WilliamsTown Country:ZA PaymentMethodID:*** PaymentProvider:<nil> GatewayIdentifier: CardAssociation: CardPAN: CardExpiryMonth:0 CardExpiryYear:0 Status: ModifiedBy:0 TimeModified:<nil> TimeCreated:<nil>} CreditCardDetails:{CardName:MR BILLY COOLDUDE CardNumber:*** CardExpiryMonth:*** CardExpiryYear:2022 CardCVV:***}} {"request-id":"b28c1e78-91bf-4f17-9d85-8931ab27bab6"}

2021-11-16 10:12:14 debug *QueryHook)/database_query_logger.go:105| [BUN  10:12:14.732   SELECT                 34.8ms  UPDATE "account_billing_info" AS "account_billing_info" SET "account_id" = 51, "contact_name" = 'Billy', "contact_email" = 'billy@example.com', "company" = 'Billy''s company', "company_reg_no" = 'BILLY123COMP456R', "tel_no" = '0127867860', "vat_no" = '12121234455', "address" = '*** Billy street, Griffiths Area, WilliamsTown, 1234', "local_area" = 'Griffiths Area', "zone" = 'Gauteng', "postal_code" = '1234', "city" = 'WilliamsTown', "country" = 'ZA', "payment_method_id" = ***, "gateway_identifier" = 'BOGUS_20211027134431', "card_association" = 'VISA', "card_pan" = '***', "card_expiry_month" = ***, "card_expiry_year" = 2022, "status" = '', "modified_by" = ***, "time_modified" = '2021-11-16 10:12:14.697594+00:00' WHERE ("account_billing_info"."id" = 9)] {"request-id":"b28c1e78-91bf-4f17-9d85-8931ab27bab6"}

Note, the words should generally be >=4 chars long, not to match normal numbers and words used in logs. In this example, the value "123" is a sensitive word, and also used in the address etc, so also logged out there. It is a poor sensitive word, which in practice will be rare. OTP are generally 5-6 digits long, and card numbers and passwords too, which will filter out better than "123".

Note that 123 does not match in longer words above such as 1234, only in full words.

The filter is also accessible from other areas of the code using service.Ctx.SenditiveWords and logger.FilterSensitiveWordsMap().

Not yet filtering api-logs or audits until we concluded that this approach words for us.