Unbound bunyan logger logs global `this`

Question

Unbound bunyan logger logs global `this`

milogert opened this issue 3 years ago · 0 comments

I ran into an issue that looks like a security issue. The sample code being used is:

var bunyan = require('bunyan')
var logger = bunyan.createLogger({ name: 'foo' })
var info = logger.info // WRONG! we should bind this
global.secret = 'api key of some kind' // uncommon but dangerous
info('bar')

This results in a global this being logged out, and in the case where I found this issue, all of the environment variables are logged out as well (it's suspected that this in that case is a process, but it's hard to tell). Additionally, any secrets you stored on your global object would end up getting logged.

I realize that the workaround for this is to create the info logger like

var info = logger.info.bind(logger)

but if that doesn't happen (most likely by mistake) then logging out all of this without knowing what this seems pretty dangerous.

I am happy to try to give more context if needed.