Skip to content

Latest commit

 

History

History
63 lines (53 loc) · 5.9 KB

threat-modeling.md

File metadata and controls

63 lines (53 loc) · 5.9 KB

Threat Model Analysis for uber-go/zap

Threat: Sensitive Data Exposure via Unfiltered Logging

  • Threat: Sensitive Data Exposure via Unfiltered Logging

    • Description: An attacker gains access to log files and extracts sensitive information that was inadvertently logged due to misconfiguration of zap's logging levels or lack of proper redaction within zap's configuration or custom encoders. This is a direct misuse of zap's features.
    • Impact:
      • Exposure of PII, leading to identity theft, financial loss, or reputational damage.
      • Disclosure of credentials, allowing unauthorized access to systems and data.
      • Revelation of internal system details, aiding in further attacks.
      • Compliance violations (e.g., GDPR, HIPAA, PCI DSS).
    • Affected Zap Component:
      • zapcore.Core: Misconfiguration of the core interface (e.g., using Debug level in production) is the primary cause.
      • zap.Logger: Incorrect usage (e.g., logging entire request objects) via the main logging interface.
      • Any custom zap.ObjectEncoder or zap.ArrayEncoder implementation that fails to redact sensitive fields.
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Strict Log Level Control: Use zap.ErrorLevel or zap.WarnLevel as the default production log level. Only enable DebugLevel or InfoLevel in controlled environments.
      • Data Redaction: Implement custom zapcore.Core implementations or zap.Hooks to filter or redact sensitive data before it reaches the encoder. Use regular expressions or dedicated redaction libraries within these custom components.
      • Structured Logging: Always use zap's structured logging features (e.g., logger.Info("message", zap.String("key", "value"))). Avoid logging raw strings.
      • Field-Specific Logging: Log only necessary fields, not entire objects. Create custom encoders for specific data types to ensure consistent and safe logging within zap.
      • Code Review: Regularly review code that uses zap to ensure that sensitive data is not being logged.
      • Secure Configuration: Store sensitive zap configuration (e.g., API keys for external logging services, if used) securely.

Threat: Denial of Service via Excessive Logging (Direct zap Misconfiguration)

  • Threat: Denial of Service via Excessive Logging (Direct zap Misconfiguration)

    • Description: An attacker triggers actions that, combined with a misconfigured zap setup (e.g., excessively verbose logging level, lack of sampling), cause zap to consume excessive system resources. This is distinct from general application DoS; it's specifically about zap's contribution to the problem due to its configuration.
    • Impact:
      • Application slowdown or unavailability due to resource exhaustion caused by the logging process itself.
      • Disk space exhaustion, leading to system instability, specifically triggered by zap's output.
      • Increased operational costs.
    • Affected Zap Component:
      • zapcore.Core: A high log level combined with a fast encoder (e.g., zapcore.NewConsoleEncoder) exacerbates the issue.
      • zap.Logger: The application's use of the logger, especially at high verbosity, directly controls the volume.
      • zap.Sampling: If not used, all logs are written, increasing the risk. A misconfigured sampler could also contribute.
    • Risk Severity: High
    • Mitigation Strategies:
      • Log Level Control: Use appropriate log levels (e.g., zap.ErrorLevel or zap.WarnLevel in production).
      • Sampling: Use zap.Sampling to reduce the volume of logs written in high-traffic scenarios. Configure the sampler correctly to write a representative subset.
      • Asynchronous Logging: If the application architecture allows, consider using asynchronous logging to minimize zap's direct impact on the application's performance.
      • Monitoring: Monitor disk space, CPU, and memory.

Threat: Log Injection and Forgery (Due to Unsafe zap Usage)

  • Threat: Log Injection and Forgery (Due to Unsafe zap Usage)

    • Description: An attacker injects malicious data into log entries because the application uses zap to log unsanitized user input. This is a direct consequence of how zap is used, not a general input validation issue. The attacker aims to disrupt log analysis or mislead investigations.
    • Impact:
      • Corruption of log data.
      • Misleading investigations.
      • Potential (though less direct) for DoS if injected data causes excessive logging.
    • Affected Zap Component:
      • zap.Logger: The application's use of the logger to log unsanitized input is the direct cause.
      • zapcore.Encoder: Custom encoders might be vulnerable if not implemented to properly escape special characters.
    • Risk Severity: High
    • Mitigation Strategies:
      • Structured Logging: Always use zap's structured logging features. Log data as key-value pairs, and rely on zap's encoders to properly escape special characters.
      • Input Validation and Sanitization (as it pertains to logging): While broader input validation is crucial, specifically ensure that any data passed to zap's logging methods is sanitized to prevent injection of control characters or newlines. This is a mitigation within the context of using zap.
      • Contextual Logging: Include contextual information (e.g., user ID, request ID) in log entries, but ensure this data is also handled safely within zap.