-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issue: Bugsnag koa logs request cookies & request body #1630
Comments
Hey @villesau, the request headers, and body are captured where available. This is by design. You can see exactly what data is captured automatically here, and how to remove them from Bugsnag reports: https://docs.bugsnag.com/platforms/javascript/koa/automatically-captured-data/#request-information
|
@xander-jones You have quite dangerous defaults then. How on earth you think that logging cookies is a sane default? |
For many developers, logging cookies may be a helpful link in debugging. Sensitive data shouldn't be stored in cookies strictly speaking, but in cases where it is required, yes I agree it ought to be redacted. I'd suggest this is an exception to the norm. I don't think this is a security issue per se as this data is redactable, and all automatically captured data is documented. But I hear your concerns with regards defaults – I'll raise this with the team 👍 For future travellers; you can remove cookies from ever being sent in Koa, (or equivalently for any JS framework with Bugsnag in use where a request is captured) with Bugsnag.start({
apiKey: YOUR_BUGSNAG_API_KEY,
plugins: [BugsnagPluginKoa],
redactedKeys: [
'cookie', // exact match: "cookie"
'access_token', // exact match: "access_token"
/^password$/i, // case-insensitive: "password", "PASSWORD", "PaSsWoRd"
/^cc_/ // prefix match: "cc_number" "cc_cvv" "cc_expiry"
]
})
const app = new Koa()
// app setup excluded for brevity ...
app.use(
router()
.get('/cookies', (ctx, next) => {
ctx.cookies.set("foo", "bar");
ctx.bugsnag.notify(new Error("Cookies be gone!"))
})
// ...
) results in the following reported to Bugsnag under the "headers": {
"cookie": "[REDACTED]"
} |
Thank you for taking it forward. Cookie is probably the most sensitive field of all of them since in regular web apps it has the session information that gives access to all the users data. One way to make Bugsnag more secure (with typescript at least) would be to make |
Describe the bug
When error is reported, bugsnag Koa plugin reports also request cookies:
bugsnag-js/packages/plugin-koa/src/koa.js
Line 99 in 18223eb
And
bugsnag-js/packages/plugin-koa/src/request-info.js
Line 12 in 18223eb
As you see, there's no filter what so ever when cookies are passed forward.
Steps to reproduce
Environment
The issue likely exists in other plugins too.
E: I also think that the request body is logged as well. With post requests that might contain users passwords and other credentials too. Very dangerous.
The text was updated successfully, but these errors were encountered: