Coping with logs being public
When you open the
.co web part of a repl, it shows the logs of the program: https://grouchyluckycomputationalscience.wh0.repl.co/__logs. I would prefer if Repl would just... not. Here are some thoughts on why they should:
- It's convenient to use logging for debugging, which could log out some information that's meant to be secret, or that is sensitive, or that shouldn't be public. It's an extra hurdle for developers to have to set up a separate secure way to do our, albeit not prestigious, "printf" debugging.
- Our dependencies log too, and we often don't desire to muck around with configuring it. They're built to write things to a log, which, in the broader ecosystem, is always private. I'm aware that good systems go out of their way to prevent super-duper secret things from being logged, but there's still stuff that shouldn't be public. For example, consider the access logs of a web server. A good web framework won't log any authentication credentials, and Repl's architecture makes it so that users' real IP addresses are masked. But users' access patterns are something you'd normally desire not to be public.
- People make mistakes and sometimes the super-duper secret stuff does get logged. There may be code paths that we aren't able to test during development that then go on to log something. I'll be reaching out privately to authors of repls I examined when doing research for this post.
So the overall theme is (i) to make safe development frictionless and (i) to make correct, secure development feasible.
And even if Repl doesn't change anything about this policy, I hope they'll at least make more prominent to users that this is the case and what it means for their apps' security.
I'm posting this to the community to open up a discussion about logging. I'd like to hear other users' answers to any of the following:
- Are you aware that logs are public?
- Have you made some cool repls that take advantage of the logs being public?
- Do you think you take enough precautions to avoid logging anything sensitive?
- How do you use logs during development?
but instead of you running it (an editor), it is an unknown user, and this will open up a security hole. But, because they disallow typing commands of any sort, as long as you don't print sensitive data, they are safe!