Merge branch 'always_safelog_on_console' into 'main'

Enforce SafeLogging on the console. Closes #553 See merge request tpo/core/arti!742
2022-09-26 16:33:58 +00:00 · 2022-09-26 16:33:58 +00:00 · 85dfe9d1ec
parent 1b53544ee8 8ddc1a4b36
commit 85dfe9d1ec
1 changed files with 10 additions and 30 deletions
--- a/crates/arti/src/logging.rs
+++ b/crates/arti/src/logging.rs
@ -53,6 +53,11 @@ pub struct LoggingConfig {
    /// This can be useful for debugging, but it increases the value of your
    /// logs to an attacker.  Do not turn this on in production unless you have
    /// a good log rotation mechanism.
+    //
+    // TODO: Eventually we might want to make this more complex, and add a
+    // per-log mechanism to turn off unsafe logging. Alternatively, we might do
+    // that by extending the filter syntax implemented by `tracing` to have an
+    // "unsafe" flag on particular lines.
    #[builder_field_attr(serde(default))]
    #[builder(default)]
    log_sensitive_information: bool,
@ -130,28 +135,6 @@ fn filt_from_opt_str(s: &Option<String>, source: &str) -> Result<Option<Targets>
    })
 }

-/// Helper to disable safe-logging when formatting an event to be logged to the
-/// console.
-struct FormatWithSafeLoggingSuppressed<F> {
-    /// An inner formatting type that does the actual formatting.
-    inner: F,
-}
-impl<S, N, F> fmt::FormatEvent<S, N> for FormatWithSafeLoggingSuppressed<F>
-where
-    F: fmt::FormatEvent<S, N>,
-    N: for<'writer> fmt::FormatFields<'writer> + 'static,
-    S: Subscriber + for<'span> tracing_subscriber::registry::LookupSpan<'span>,
-{
-    fn format_event(
-        &self,
-        ctx: &fmt::FmtContext<'_, S, N>,
-        writer: fmt::format::Writer<'_>,
-        event: &tracing::Event<'_>,
-    ) -> std::fmt::Result {
-        safelog::with_safe_logging_suppressed(|| self.inner.format_event(ctx, writer, event))
-    }
-}
-
 /// Try to construct a tracing [`Layer`] for logging to stdout.
 fn console_layer<S>(config: &LoggingConfig, cli: Option<&str>) -> Result<impl Layer<S>>
 where
@ -161,14 +144,11 @@ where
        .map(|s| filt_from_str_verbose(s, "--log-level command line parameter"))
        .or_else(|| filt_from_opt_str(&config.console, "logging.console").transpose())
        .unwrap_or_else(|| Ok(Targets::from_str("debug").expect("bad default")))?;
-    // We suppress safe logging when formatting messages for the console,
-    // which we assume to be volatile.
-    let format = FormatWithSafeLoggingSuppressed {
-        inner: fmt::format(),
-    };
-    Ok(fmt::Layer::default()
-        .event_format(format)
-        .with_filter(filter))
+    // We used to suppress safe-logging on the console, but we removed that
+    // feature: we cannot be certain that the console really is volatile. Even
+    // if isatty() returns true on the console, we can't be sure that the
+    // terminal isn't saving backlog to disk or something like that.
+    Ok(fmt::Layer::default().with_filter(filter))
 }

 /// Try to construct a tracing [`Layer`] for logging to journald, if one is