-
Type: Spec Change
-
Resolution: Unresolved
-
Priority: Unknown
-
None
-
Component/s: Logging
-
None
-
Needed
Summary
The current spec for command logging requires that all command started messages contain a truncated form of the command document, unless the command is considered sensitive (https://github.com/mongodb/specifications/blob/master/source/command-logging-and-monitoring/command-logging-and-monitoring.rst#command-started-message). However, this does not prevent potentially sensitive user data contained in non-sensitive commands from being leaked through logging. For example, inserting documents that contain sensitive information while logging is enabled would result in the truncated form of those documents being logged.
It's possible to workaround this behavior currently by simply setting the truncation limit to 0 characters, but a more user-friendly configuration method would be preferable, such as requiring users to opt-in to logging truncated command documents.
Motivation
Who is the affected end user?
All users of standardized command logging.
How does this affect the end user?
Potentially sensitive user data could be unintentionally leaked through logs.
How likely is it that this problem or use case will occur?
This will occur for every command the user executes with debug command logging enabled, unless they preemptively truncate the entire document.
If the problem does occur, what are the consequences and how severe are they?
Leaking sensitive user data through debug logs could be a significant security issue.
Is this issue urgent?
This should be resolved before standardized logging is released.
Is this ticket required by a downstream team?
N/A.
Is this ticket only for tests?
No, this ticket has functional impact.
- is caused by
-
DRIVERS-1673 Add log messages to Command monitoring spec
- Implementing