Ask coding questions

← Back to all posts
Coping with logs being public
wh0

When you open the .co web part of a repl, it shows the logs of the program: https://grouchyluckycomputationalscience.wh0.repl.co/__logs. I would prefer if Repl would just... not. Here are some thoughts on why they should:

  1. It's convenient to use logging for debugging, which could log out some information that's meant to be secret, or that is sensitive, or that shouldn't be public. It's an extra hurdle for developers to have to set up a separate secure way to do our, albeit not prestigious, "printf" debugging.
  2. Our dependencies log too, and we often don't desire to muck around with configuring it. They're built to write things to a log, which, in the broader ecosystem, is always private. I'm aware that good systems go out of their way to prevent super-duper secret things from being logged, but there's still stuff that shouldn't be public. For example, consider the access logs of a web server. A good web framework won't log any authentication credentials, and Repl's architecture makes it so that users' real IP addresses are masked. But users' access patterns are something you'd normally desire not to be public.
  3. People make mistakes and sometimes the super-duper secret stuff does get logged. There may be code paths that we aren't able to test during development that then go on to log something. I'll be reaching out privately to authors of repls I examined when doing research for this post.

So the overall theme is (i) to make safe development frictionless and (i) to make correct, secure development feasible.

And even if Repl doesn't change anything about this policy, I hope they'll at least make more prominent to users that this is the case and what it means for their apps' security.

I'm posting this to the community to open up a discussion about logging. I'd like to hear other users' answers to any of the following:

  • Are you aware that logs are public?
  • Have you made some cool repls that take advantage of the logs being public?
  • Do you think you take enough precautions to avoid logging anything sensitive?
  • How do you use logs during development?
Voters
TyphousCrane654
Tahini245
RayhanADev
wh0
Comments
hotnewtop
wh0

thanks for suggesting that I post it to feedback. https://repl.it/feedback/p/dont-expose-logs-publicly here's that entry

PattanAhmed

@wh0 Hi,
Seems like this a good idea...

Post this on Repl.it Feedback Section as it is made for suggesting something on Repl.it and discussing about it there.
https://repl.it/feedback

That's it
Thanks!

Hope this helps

Coder100

Logs are an internal repl.it thing, they are what appears on repls waking up. It is like a repl terminal:

but instead of you running it (an editor), it is an unknown user, and this will open up a security hole. But, because they disallow typing commands of any sort, as long as you don't print sensitive data, they are safe!

Bookie0

Hey there,

Thats a cool suggestion, you can put it in the feedback board https://repl.it/feedback it's designed specifically for suggestions like yours as well as discussion about it ;)