Description
Describe the bug
SDK logs sensitive data when running in debug mode.
To Reproduce
Steps to reproduce the behavior:
- Configure logging in debug mode. (https://github.com/splunk/splunk-sdk-python#optionalset-up-logging-for-splunklib)
- Call some specific endpoints (see list at the bottom).
- Inspect the logs, note passwords are included in plain text.
Expected behaviour
No sensitive data is logged, even when running in debug mode.
Logs or Screenshots
The binding.py file contains several instances of logging of network operations.
Example 1: https://github.com/splunk/splunk-sdk-python/blob/master/splunklib/binding.py#L779
Example 2: https://github.com/splunk/splunk-sdk-python/blob/master/splunklib/binding.py#L845
Splunk
- Version: Any
- OS: Any
- Deployment: Any
SDK:
- Version: 1.7.2
- Language Python 3.X
- OS: Any
Additional context
There was an attempt to prevent password leaks, as seen in #439
Unfortunately, according to the API Reference https://docs.splunk.com/Documentation/Splunk/9.0.3/RESTREF/RESTlist there are several endpoints that will include either a password or a key in their body, to list a few:
- auth/login
- authentication/users
- authentication/users/{name}
- authentication/providers/SAML
- authentication/providers/SAML/{stanza_name}
The recommendation would be to avoid logging headers and payloads of network operations, as sensitive data could be included in both.