Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:116868 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 49471 invoked from network); 11 Jan 2022 09:15:19 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 11 Jan 2022 09:15:19 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id A2AA018053C for ; Tue, 11 Jan 2022 02:24:14 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_05,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-il1-f181.google.com (mail-il1-f181.google.com [209.85.166.181]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 11 Jan 2022 02:24:14 -0800 (PST) Received: by mail-il1-f181.google.com with SMTP id o20so7578146ill.0 for ; Tue, 11 Jan 2022 02:24:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=hbFHybUrvNdVMPtyreQztYtubvC9KzE0w9NaLKP2xrM=; b=MzFrk6zYcLHY2aytXwUvPyDiTDQ6NOqP0XZdJoJK2268KpqEMaqrQ/aWfzZgisSG7x /oNMnBvqhUtqrwQoThyPW/b09tC+IGsEq2Jc5E5ywEJ8k/qrX55uY7aJaHvLF9Tt3c4Q B5GglQrt7F+ivSI9biWQzDOb5Qum0Jf9Hq5td/IktGWOLnKdG4CXnCEJ5dT2DggyGATp MbD2Gga2Q4JCBpS6ILel/JZtWcGKEj4sttcQZwDEf9y/cBtw3BUH/SjQjJGE9LI2raVB j+RMm9qJggoQaquVcT5ZYDQnQBIrpza7/r5H6JEco8/rQdh+UVISKTpJ2KoPHhZZM1IR aU5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hbFHybUrvNdVMPtyreQztYtubvC9KzE0w9NaLKP2xrM=; b=IVjSMATpq5tD5f1N4Kmh92qNhMSBq8tdH6noRrHB3r6ed2tlfWTTkHnGX7amjoR4SK HYqcZWmaGv7NrvuRXIbjE7frvCIlrzAG8nTAXN7RUZFvWYHs+VCplJSJlRznCiGq5c2P npLRLvLq5K9rdF+you82TDy4Dvze3OSaxVOzkVcoisSFEgHP6Ocum9Wvj9IbTGrbnwr/ y42UHzRrmFi6Wk08dMicAFDLQKN2NZ9UMvpESHO8vwCeG8a9eTB+w64bTap0EKe4RjV1 P82tfdFhB6NnuAOf3YGwqXeTOIlaQpkL2lqAjK8wqCx6josWqTR9fI5leojPcSMPynz4 J88A== X-Gm-Message-State: AOAM533gVftiISeB6lz05QASKUv5DBHiW3iFNOztT7YmE1SFNh175iS+ ItLNx17fhiwHej+0C0Xbgty7KaXSyxfWTmVkSxVfCecWpnY= X-Google-Smtp-Source: ABdhPJw1WJuExPiZc/i+IiqZG6xoiCl9999HcnxkUqZJ2IyL2TIURJbyzehphcmFGOWNk2gftKKozX9bsckXX0gJ8YI= X-Received: by 2002:a05:6e02:524:: with SMTP id h4mr1944634ils.53.1641896653686; Tue, 11 Jan 2022 02:24:13 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: Date: Tue, 11 Jan 2022 11:23:48 +0100 Message-ID: To: =?UTF-8?Q?Tim_D=C3=BCsterhus=2C_WoltLab_GmbH?= Cc: PHP internals Content-Type: multipart/alternative; boundary="000000000000cd0dc705d54bdaae" Subject: Re: [PHP-DEV] RFC [Discussion]: Redacting parameters in back traces From: kjarli@gmail.com (Lynn) --000000000000cd0dc705d54bdaae Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, Jan 10, 2022 at 3:05 PM Tim D=C3=BCsterhus, WoltLab GmbH < duesterhus@woltlab.com> wrote: > Hi Internals! > > this is a follow-up for my "Pre-RFC" email from last Friday, January, 7th= . > > Christoph Becker granted me RFC editing permissions and I've now written > up our proposal as a proper RFC: > > https://wiki.php.net/rfc/redact_parameters_in_back_traces > > I recommend also taking a look at my previous email: > > https://externals.io/message/116847 Heya, thanks for this RFC! The product I work on provides integration with dozens, if not hundreds of remote services. This can be anything from mailboxes, (S)FTP(S), HTTP, and we have a lot of databases for our tenants. Being the legacy code it is, it's a never ending battle to not expose critical information to the end user. Even though I've been working here for several years now, I still keep finding these things occasionally. As we also use external logging tools (such as the ELK stack), we want as little critical information sent anywhere and this RFC seems to really help reduce the leaking of this information here. In the ideal scenario the connection information minus the password is logged explicitly, so that I have the information available whenever one of the many tenants systems failed to connect to one of the many dynamically configured APIs, but doing this retroactively through millions of lines of code that's over 10 years old is a lot of work. One possible addition; would it be possible to analyze the masked values and mask any 100% matches elsewhere? https://3v4l.org/G0RaQ ``` function one(string $param) { throw new Exception($param); } function two(#[SensitiveParameter] string $param) { one($param); } two('the secret'); Fatal error: Uncaught Exception: the secret in /in/G0RaQ:4 Stack trace: #0 /in/G0RaQ(8): one('the secret') #1 /in/G0RaQ(11): two('the secret') #2 {main} thrown in /in/G0RaQ on line 4 ``` This would help in the scenario where the function `one` comes from an external library, but it also means that I don't have to go through every single layer and add the attributes. In the above example I want any mention of `the secret` to be hidden. Let's say the sensitive data is a password, then I don't want that password shown at all in the stacktrace. The original RFC is already very valuable to me without this, but would still expose a lot of sensitive data I fear. The result I want from this: ``` Fatal error: Uncaught Exception: Object(SensitiveParameter) in /in/G0RaQ:4 Stack trace: #0 /in/G0RaQ(8): one(Object(SensitiveParameter)) #1 /in/G0RaQ(11): two(Object(SensitiveParameter)) #2 {main} thrown in /in/G0RaQ on line 4 ``` This would also cover cases where for some reason the sensitive data is added to the exception. Yes, this big facepalm is something I encounter sadly too often in legacy code. --000000000000cd0dc705d54bdaae--