owasp-security-logging icon indicating copy to clipboard operation
owasp-security-logging copied to clipboard

Versatile masking

Open rahulaga opened this issue 8 years ago • 5 comments

I looked at this https://github.com/javabeanz/owasp-security-logging/wiki/Masking However that is very limited and requires logging statements to be written in a very specific way.

I have created this regex based Logback converter. https://gist.github.com/rahulaga/8bd7ca7b521a7858e86c0a51fffe3f03

Configure it as such <conversionRule conversionWord="maskedMsg" converterClass="MaskingConverter" /> <property name="CONSOLE_LOG_PATTERN" value="%mdc{TID} %date %-5level [%thread] %logger{0} - %maskedMsg{ password|token, username, apiKey, email }%n" />

I think it would be useful for the community and something anyone could easily drop in.

rahulaga avatar Feb 09 '17 17:02 rahulaga

@rahulaga This looks very cool. I'd be concerned about the execution speed of doing pattern matching on every log statement in high performance environments, but I would love to add this as an option.

Will you send a pull request?

augustd avatar Feb 09 '17 18:02 augustd

Where does the option list come from? Is it possible to define custom regexes in configuration?

I could see easily matching on an email address, credit card, SSN, etc, but if a password ~~can~~ should contain any character set how will you match on it without masking everything?

augustd avatar Feb 09 '17 18:02 augustd

Thanks, sure, I can look into a pull. The options list comes from the pattern provided in the config. I have 4 preset types of masking: CompleteMask, MaskExceptFirstFour, MaskAllButLastFour,EmailMasking. You could certainly expand on that options to send include regexs in config too. Performance wise the regexs are precompiled on init. I think masking benefit and flexibility maybe a tradeoff to consider in your situation.

rahulaga avatar Feb 10 '17 05:02 rahulaga

Submitted pull for your reference https://github.com/javabeanz/owasp-security-logging/pull/15

rahulaga avatar Feb 14 '17 18:02 rahulaga

Thanks for your contribution, Rahulaga. Next step is making the docuemtnation match the new functionality.

javabeanz avatar Feb 14 '17 20:02 javabeanz