boto3.resources.action logger too verbose at INFO level
The boto logger boto3.resources.action, which propagates to root logger, logs the entire uploaded bytes at INFO level.
First, this is already a security risk. I could have confidential information in those bytes.
Second, logging this at INFO level may be a bit too much, no? What if my bytes object is several GBs? I will have several GBs on one line in my log file. In my opinion at the very least the level should be at least TRACE when logging the bytes.
Workaround, to mute the logger like so:
# mute too verbose boto3.resources.action logger
boto_resources_logger = getLogger('boto3.resources.action')
boto_resources_logger.setLevel('ERROR')
Dmitrii-I
All 9 comments
Fair point. We mostly log to debug to prevent this sort of over-sharing, but there are still a few places where we log elsewhere.
JordonPhillips
on 13 Mar 2017
It is solved by this patch:
`commit 5a4396a4e0d1b337c081cb4095e5255da915198e
Author: Tomasz Rybak tomasz.rybak@post.pl
Date: Mon Mar 27 20:02:17 2017 +0200
Do not log call parameters on info level
Currently, when logging Glacier actions (e.g. upload), logging at info level is unusable, as entire file content gets logged (this can be many gigabytes).`
Isn't it? Suggesting close this ticket.
DamZiobro
on 15 Sep 2017
If @xmementoit is correct, then the latest release of boto3, 1.4.7, contains this patch.
Flimm
on 29 Sep 2017
The latest tag seems to be 1.4.7 still and when I pip install 1.4.7 I still see this vulnerability there. Any suggestion please?
Fresh installed [email protected] still got this FYI:
✗ Low severity vulnerability found on [email protected]
- desc: Information Exposure
- info: https://snyk.io/vuln/SNYK-PYTHON-BOTO3-40617
- from: [email protected]
redhat-raptor
on 9 Nov 2017
What's the status of this issue? I'm still seeing the vulnerability in 1.5.x
yq314
on 24 Jan 2018
As @xmementoit said, this was fixed in 5a4396a4e0d1b337c081cb4095e5255da915198e. That commit exists in the latest tag, 1.5.31.
I also have snyk yelling at me about this vulnerability. I think we need to close this issue to prevent that. See: https://snyk.io/vuln/SNYK-PYTHON-BOTO3-40617
alexgleason
on 18 Feb 2018
Please close this ticket. My Python project is looking like this otherwise:
Snyk is reporting 1 vulnerability until this issue is closed.
alexgleason
on 24 Feb 2018
@Dmitrii-I could you close the issue?
NyanKiyoshi
on 26 Feb 2018
Closing as requested.
Dmitrii-I
on 26 Feb 2018
Related issues
luistm
·
3Comments
chesstrian
·
3Comments
yannbriancon
·
3Comments
maoo
·
3Comments
amattie
·
4Comments
Most helpful comment
Please close this ticket. My Python project is looking like this otherwise:
Snyk is reporting 1 vulnerability until this issue is closed.