Security issue: private message data saved to system logs #274
Comments
|
Firstly, please be aware that blurring text is not the most secure way to obfuscate it and it is possible to unblur it. We don't intentionally log anything in the system logs. At all. The only permanent storage on the system should be the databases and the avatar cache. That said, what you're seeing there appears to be debug logging of the JSON that gets fetched. That should only be printed when making a debug build as it is conditionally commented. That flag only gets set when the build type is "debug" or "debugoptimised" (src). RPM and DEB packages seem to do default to "release" builds (to the best of my knowledge). If the Flatpak is logging that information then it strongly suggests that it's doing a debug build. Although why it would default to that is beyond me. Maybe @p1u3o or @CodedOre know more about Flatpak and know why it would be doing a debug build? |
IBBoard
added
bug
|
Do we just need to add: in the "cawbird" module section? (based on this documentation comment) And why is this not default behaviour? Whatever we do, we should make sure that the Flatpak config here continues to be a debug build and the Flathub version is a release build (because Flathub is for general use, and the version in this repo is intentionally the "developer building from Master" config) |
Have taken a small look in the topic, and our meson defines the default build type as
Agreed. |
|
I've checked the build logs on OBS and all of the distros appear to be smart enough to make "plain" builds even though all we use in the spec file is the Yes, the Meson default is debug, but that doesn't mean that a packaging system's default has to be the build system's default! Can someone with a Flatpak setup check whether the config-opts works? I've not got a Flatpak build setup, and unlike the Open Build Service, I don't know how I'd either a) do an "unstable" build with Flathub or b) check the build output if it ever failed to build correctly! |
|
Can check this out tomorrow. But what I referred to with "our meson" was our meson.build, as it sets in line 6 the default buildtype specifically to |
|
Ah, so it does. But the meson default is debug anyway, so it probably isn't affecting anything. Plus it is reasonable to make a debug build, the same as we're defaulting this Flatpak config to debug. |
The Flathub package should swap this to "plain"
|
I've made a branch with what I think is the right change. I'm also going to make some other changes around how we log this information anyway. |
Also combined logging to a single line now we don't pretty-print and removed double-logging for DMs (once in the block of all retrieved DMs and once when they get faux-streamed). But since that may hide non-"message_create" messages, we now log the JSON earlier, before we drop unsupported messages.
This should make it more obvious to third-parties if they accidentally make debug builds. (Although it's not clear where you might see it if you build for FlatHub)
|
So, did not get to anything yesterday, but I found where the build logs for Flathub are located: |
|
At least that's a build status, which is something. I can't seem to find actual logs, though… oh, wait, is it the status icon and nothing else? Ah, yes, there it is. I'm struggling to find references to Meson in it to understand what it's doing with the build, though. |
|
Okay, I've (hopefully) made it build a "plain" build now on Flathub, the same as RPM and DEB files seem to do by default. If someone can test the new Flatpak package when it gets published then that'd be great. It definitely built successfully, but the build log navigation is nowhere near as easy as on OBS for RPM and DEB and so I've not been able to confirm that it's changed the behaviour. Once I know that I've got the right way of changing the build type then I'll merge the changes from here as well so that we've got extra things to reduce the risk of it happening again for other people in other builds. [Edit] I think I finally found it. Seemingly the web interface does something and I've got to get the raw log. There's a line (with ANSI stripped) that says: So I think we're sorted! |
|
Tested the built flatpak (from build 36427) and I couldn't see Debug Messages, so it should be sorted indeed. |
|
It wasn't technically debug, it was |
The Flathub package should swap this to "plain"
Also combined logging to a single line now we don't pretty-print and removed double-logging for DMs (once in the block of all retrieved DMs and once when they get faux-streamed). But since that may hide non-"message_create" messages, we now log the JSON earlier, before we drop unsupported messages.
This should make it more obvious to third-parties if they accidentally make debug builds. (Although it's not clear where you might see it if you build for FlatHub)
It seems helpful, but it's probably bad practice and it can lead to unexpected behaviour.
Describe the bug
While using Cawbird 1.3.1 installed via the official Flatpak, I noticed when checking the journalctl on my system that full message contents, including direct messages, IDs, etc., were being logged in plaintext.
To Reproduce
Steps to reproduce the behavior:
journalctl -n 100 --no-pagerfrom the Terminal to view recent entries in the system journal logExpected behavior
Tweets and message contents should not be stored directly inside of system log files
Screenshots
Here is a screenshot showing some output with a sample direct message. A redacted direct message (which incidentally included my home address) can be seen in the output below as well, although blurred as to not publicly reveal that information.
System details:
The text was updated successfully, but these errors were encountered: