[LogHash] attribute
Rogmodr opened this issue · 4 comments
Hi! Be cool to have attribute that put hash of value to logs, like:
public class SignInResult {
[LogHash(HashAlgorithm.SHA1)]
public string Token {get; set;}
}
Nice idea! I'd be a little hesitant to incorporate security-sensitive functionality in this library; perhaps this is one to develop/publish separately?
I understand your feelings, but it all depends on how it will apply users (developers). You can offer some idea of using salt. In any case it's better than nothing.
I actually implemented that functionality at my previous employer (unfortunately was not able to publish the code). The advantage of implementing in a separate library was that I was able to use attributes that were shared by both logging and the repository code (we were encrypting the data at rest) without needing to pull in some irrelevant logging framework specific package into the repository code:
- Repository.cs -> SecurityAttributes.nupkg
- LoggingSecurityAttributes.cs -> SecurityAttributes.nupkg, a shim class (IIRC) to wire up Serilog destructuring with Autofac, and if in the future you need to use a different logging framework (or, alternatively, needed to have different interpretations of the attribute directives depending on the environment) you would just create a different shim class.
In addition to hashing, I also provided symmetric and asymmetric encryption options with keys loaded from a local windows crypto store, also providing for salts for the hashing functions. It was pretty slick.
I wish I had been allowed to publish it (to be fair to the employer, I wasn't explicitly forbidden, I just left before I was able to seek out permission to do so -- they were actually very good about allowing me to spend time on and contribute code back to OS projects, including Serilog).
In any case it's better than nothing.
Not necessarily - nothing has less maintenance/security overhead :-)
If anyone decides to take a shot at this and needs a hand, please reach out. Cheers!