serilog-settings-configuration icon indicating copy to clipboard operation
serilog-settings-configuration copied to clipboard

Published 20 hours ago verified publisher icon serilog

8.0.1 breaks Serilog.Enrichers.Sensitive "Operators" config, currently failing silently, leaking data

Open scott-r-lindsey opened this issue 6 months ago • 1 comments

Hi there,

Serilog.Enrichers.Sensitive supports masking of custom data types via Masking Operators, but it seems to no longer work after upgrading from 8.0.0 to 8.0.1.

{
  "Serilog": {
    "Using": [
      "Serilog.Enrichers.Sensitive"
    ],
    "Enrich": [
      {
        "Name": "WithSensitiveDataMasking",
        "Args": {
          "options": {
            "MaskValue": "CUSTOM_MASK_FROM_JSON",
            "Operators": [ "MyApplication.Logging.Serilog.MyCustomMaskingOperator, MyAppliation.Logging" ]
          }
        }
      }
    ]
  }
}

This should cause "MyApplication.Logging.Serilog.MyCustomMaskingOperator" to be invoked on each log event to add extra filtering, but after an upgrade to 8.0.1, it instead fails silently.

Fortunately, we spotted this before going to production with current dependencies and we can roll back. However, it seems likely that someone is leaking sensitive data into log files right now.

scott-r-lindsey avatar Aug 08 '24 19:08 scott-r-lindsey