Security issue with TalkerHttpLogger: Bearer tokens

[JPFrancoia]

Hi,

I was playing with Talker and the talker_http_logger package.

My app uses a piece of code very similar to the example:

import 'package:http_interceptor/http_interceptor.dart';
import 'package:talker_http_logger/talker_http_logger.dart';

void main() async {
  final client = InterceptedClient.build(interceptors: [
    TalkerHttpLogger(),
  ]);

  await client.get("https://google.com".toUri());
}

Looking at the http logger:

class TalkerHttpLogger extends InterceptorContract {
  TalkerHttpLogger({Talker? talker}) {
    _talker = talker ?? Talker();
  }

  late Talker _talker;

  @override
  Future<BaseRequest> interceptRequest({
    required BaseRequest request,
  }) async {
    final message = '${request.url}';
    _talker.logTyped(HttpRequestLog(message, request: request));
    return request;
  }

  @override
  Future<BaseResponse> interceptResponse({
    required BaseResponse response,
  }) async {
    final message = '${response.request?.url}';
    _talker.logTyped(HttpResponseLog(message, response: response));
    return response;
  }
}

The logger simply writes the request to the logs, including the headers, without obfuscating anything. This is a problem when the headers contain stuff like Bearer 1234.... These sensitive values are written in clear to the logs.

I would suggest obfuscating these specific fields by default, with maybe a flag to disable the obfuscation.

Cheers

[Frezyx]

Hello @JPFrancoia ! Great idea 🦄

I fully support the implementation of such functionality in the package. Does you have any representation or reference of this feature ?

[Frezyx]

To fix this issue we can copy logic from this PR https://github.com/Frezyx/talker/pull/315

[JPFrancoia]

Ah yeah, I stopped using the http logger a while ago and I now use the gRPC one. I have implemented some token/payload obfuscation here: https://github.com/JPFrancoia/talker_grpc_logger/blob/master/lib/src/talker_grpc_logger_base.dart