Unbound bunyan logger logs global `this`
milogert opened this issue · 0 comments
milogert commented
I ran into an issue that looks like a security issue. The sample code being used is:
var bunyan = require('bunyan')
var logger = bunyan.createLogger({ name: 'foo' })
var info = logger.info // WRONG! we should bind this
global.secret = 'api key of some kind' // uncommon but dangerous
info('bar')
This results in a global this
being logged out, and in the case where I found this issue, all of the environment variables are logged out as well (it's suspected that this
in that case is a process
, but it's hard to tell). Additionally, any secrets you stored on your global object would end up getting logged.
I realize that the workaround for this is to create the info logger like
var info = logger.info.bind(logger)
but if that doesn't happen (most likely by mistake) then logging out all of this
without knowing what this
seems pretty dangerous.
I am happy to try to give more context if needed.