Spray.io log leaks sensitive information

0
votes

I'm using Spray client to consume a third-party API. Unfortunately, the API I'm consuming is not very secure and utilizes an authentication method using GET query parameters. Sometimes we're getting timeouts or connection issues which we know to deal with applicatively. The problem is that Spray logs this at a WARN log-level, and the URL including the sensitive query parameters () are being written in our log files.

Here's an example of the log file.

2015-05-19 12:23:17,024 WARN HttpHostConnectionSlot - Connection attempt to 10.10.10.10:443 failed in response to GET request to /api/?type=keygen&user=test_user&password=S3kret! with 2 retries left, retrying...
2015-05-19 12:23:17,084 WARN HttpHostConnectionSlot - Connection attempt to 10.10.10.10:443 failed in response to GET request to /api/?type=keygen&user=test_user&password=S3kret! with 1 retries left, retrying...

Is there any way to filter this? (Maybe in Akka?)

1
scalaakkaspray

1 Answers

1
votes

Spray reuses akka-logging for doing all logging groundwork.

In akka you can redeclare a custom event logger in application config:

akka {
  # event-handlers = ["akka.event.Logging$DefaultLogger"] // default one
  event-handlers = ["com.example.PrivacyLogger"] // custom one
  # Options: ERROR, WARNING, INFO, DEBUG
  loglevel = "DEBUG"
}

It may look like this:

  class PrivacyLogger extends DefaultLogger {
    override def receive: Receive = {
      case InitializeLogger(_) ⇒ sender() ! LoggerInitialized
      case event: LogEvent     ⇒ print(stripSecret(event))
    }
    private def stripSecret(event:LogEvent) = ...
  }

But you always can implement your own message processing logic here instead of simple printing.

PS. If you use slf4j for logging, the solution will mostly look the same, but with some minor differences like overriding akka.event.slf4j.Slf4jEventHandler instead of DefaultLogger.