Sanitizing system logs

Author: brettsam

src/WebJobs.Script.WebHost/Diagnostics/EventGenerator.cs

@@ -12,7 +12,7 @@ internal class EventGenerator : IEventGenerator
     {
         private const string EventTimestamp = "MM/dd/yyyy hh:mm:ss.fff tt";
 
-        public void LogFunctionTraceEvent(TraceLevel level, string subscriptionId, string appName, string functionName, string eventName, string source, string details, string summary, Exception exception = null)
+        public void LogFunctionTraceEvent(TraceLevel level, string subscriptionId, string appName, string functionName, string eventName, string source, string details, string summary)
         {
             string eventTimestamp = DateTime.UtcNow.ToString(EventTimestamp);
             switch (level)
@@ -27,10 +27,6 @@ public void LogFunctionTraceEvent(TraceLevel level, string subscriptionId, strin
                     FunctionsSystemLogsEventSource.Instance.RaiseFunctionsEventWarning(subscriptionId, appName, functionName, eventName, source, details, summary, ScriptHost.Version, eventTimestamp);
                     break;
                 case TraceLevel.Error:
-                    if (string.IsNullOrEmpty(details) && exception != null)
-                    {
-                        details = exception.ToFormattedString();
-                    }
                     FunctionsSystemLogsEventSource.Instance.RaiseFunctionsEventError(subscriptionId, appName, functionName, eventName, source, details, summary, ScriptHost.Version, eventTimestamp);
                     break;
             }

src/WebJobs.Script.WebHost/Diagnostics/IEventGenerator.cs

@@ -8,7 +8,7 @@ namespace Microsoft.Azure.WebJobs.Script.WebHost.Diagnostics
 {
     public interface IEventGenerator
     {
-        void LogFunctionTraceEvent(TraceLevel level, string subscriptionId, string appName, string functionName, string eventName, string source, string details, string summary, Exception exception = null);
+        void LogFunctionTraceEvent(TraceLevel level, string subscriptionId, string appName, string functionName, string eventName, string source, string details, string summary);
 
         void LogFunctionMetricEvent(string subscriptionId, string appName, string functionName, string eventName, long average, long minimum, long maximum, long count, DateTime eventTimestamp);
 

src/WebJobs.Script.WebHost/Diagnostics/Sanitizer.cs

@@ -0,0 +1,53 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.Azure.WebJobs.Logging
+{
+    /// <summary>
+    /// Utility class for sanitizing logging strings.
+    /// </summary>
+    // Note: This file is shared between the WebJobs SDK and Script repos. Update both if changes are needed.
+    internal static class Sanitizer
+    {
+        private const string SecretReplacement = "[Hidden Credential]";
+        private static readonly char[] ValueTerminators = new char[] { '<', '"' };
+        private static readonly string[] CredentialTokens = new string[] { "Token=", "DefaultEndpointsProtocol=http", "AccountKey=", "Data Source=", "Server=", "Password=", "pwd=", "&amp;sig=" };
+
+        /// <summary>
+        /// Removes well-known credential strings from strings.
+        /// </summary>
+        /// <param name="input">The string to sanitize.</param>
+        /// <returns>The sanitized string.</returns>
+        internal static string Sanitize(string input)
+        {
+            if (input == null)
+            {
+                return null;
+            }
+
+            string t = input;
+            foreach (var token in CredentialTokens)
+            {
+                int startIndex = 0;
+                while (true)
+                {
+                    // search for the next token instance
+                    startIndex = t.IndexOf(token, startIndex, StringComparison.OrdinalIgnoreCase);
+                    if (startIndex == -1)
+                    {
+                        break;
+                    }
+
+                    // Find the end of the secret. It most likely ends with either a double quota " or tag opening <
+                    int credentialEnd = t.IndexOfAny(ValueTerminators, startIndex);
+
+                    t = t.Substring(0, startIndex) + SecretReplacement + (credentialEnd != -1 ? t.Substring(credentialEnd) : string.Empty);
+                }
+            }
+
+            return t;
+        }
+    }
+}

src/WebJobs.Script.WebHost/Diagnostics/SystemTraceWriter.cs

@@ -4,6 +4,7 @@
 using System;
 using System.Diagnostics;
 using Microsoft.Azure.WebJobs.Host;
+using Microsoft.Azure.WebJobs.Logging;
 using Microsoft.Azure.WebJobs.Script.Config;
 
 namespace Microsoft.Azure.WebJobs.Script.WebHost.Diagnostics
@@ -35,7 +36,7 @@ public override void Trace(TraceEvent traceEvent)
             string subscriptionId = _subscriptionId ?? string.Empty;
             string appName = _appName ?? string.Empty;
             string source = traceEvent.Source ?? string.Empty;
-            string summary = traceEvent.Message ?? string.Empty;
+            string summary = Sanitizer.Sanitize(traceEvent.Message) ?? string.Empty;
 
             // Apply any additional extended event info from the Properties bag
             string functionName = string.Empty;
@@ -63,11 +64,16 @@ public override void Trace(TraceEvent traceEvent)
 
                 if (traceEvent.Properties.TryGetValue(ScriptConstants.TracePropertyEventDetailsKey, out value) && value != null)
                 {
-                    details = value.ToString();
+                    details = Sanitizer.Sanitize(value.ToString());
                 }
             }
 
-            _eventGenerator.LogFunctionTraceEvent(traceEvent.Level, subscriptionId, appName, functionName, eventName, source, details, summary, traceEvent.Exception);
+            if (string.IsNullOrEmpty(details) && traceEvent.Exception != null)
+            {
+                details = Sanitizer.Sanitize(traceEvent.Exception.ToFormattedString());
+            }
+
+            _eventGenerator.LogFunctionTraceEvent(traceEvent.Level, subscriptionId, appName, functionName, eventName, source, details, summary);
         }
     }
 }

src/WebJobs.Script/Host/ScriptHost.cs

@@ -48,6 +48,12 @@ public class ScriptHost : JobHost
         internal const string GeneratedTypeName = "Functions";
         private readonly IScriptHostEnvironment _scriptHostEnvironment;
         private readonly ILoggerFactoryBuilder _loggerFactoryBuilder;
+        private static readonly string[] WellKnownHostJsonProperties = new[]
+        {
+            "id", "functionTimeout", "http", "watchDirectories", "functions", "queues", "serviceBus",
+            "eventHub", "tracing", "singleton", "logger", "aggregator", "applicationInsights"
+        };
+
         private string _instanceId;
         private Func<Task> _restart;
         private Action _shutdown;
@@ -354,10 +360,6 @@ protected virtual void Initialize()
                 TraceWriter.Info(readingFileMessage);
 
                 string json = File.ReadAllText(hostConfigFilePath);
-
-                string readFileMessage = $"Host configuration file read:{Environment.NewLine}{json}";
-                TraceWriter.Info(readFileMessage);
-
                 JObject hostConfigObject;
                 try
                 {
@@ -371,11 +373,14 @@ protected virtual void Initialize()
                     ConfigureDefaultLoggerFactory();
                     ILogger startupErrorLogger = _hostConfig.LoggerFactory.CreateLogger(LogCategories.Startup);
                     startupErrorLogger.LogInformation(readingFileMessage);
-                    startupErrorLogger.LogInformation(readFileMessage);
 
                     throw new FormatException(string.Format("Unable to parse {0} file.", ScriptConstants.HostMetadataFileName), ex);
                 }
 
+                string sanitizedJson = SanitizeHostJson(hostConfigObject);
+                string readFileMessage = $"Host configuration file read:{Environment.NewLine}{sanitizedJson}";
+                TraceWriter.Info(readFileMessage);
+
                 try
                 {
                     ApplyConfiguration(hostConfigObject, ScriptConfig);
@@ -586,6 +591,22 @@ private static IEnumerable<string> DiscoverBindingTypes(IEnumerable<FunctionMeta
             return bindingTypes;
         }
 
+        internal static string SanitizeHostJson(JObject hostJsonObject)
+        {
+            JObject sanitizedObject = new JObject();
+
+            foreach (var propName in WellKnownHostJsonProperties)
+            {
+                var propValue = hostJsonObject[propName];
+                if (propValue != null)
+                {
+                    sanitizedObject[propName] = propValue;
+                }
+            }
+
+            return sanitizedObject.ToString();
+        }
+
         // Validate that for any precompiled assembly, all functions have the same configuration precedence.
         private void VerifyPrecompileStatus(IEnumerable<FunctionDescriptor> functions)
         {

test/WebJobs.Script.Tests.Integration/Host/WebScriptHostManagerTests.cs

@@ -366,7 +366,7 @@ public TestSystemEventGenerator()
 
                 public List<string> Events { get; private set; }
 
-                public void LogFunctionTraceEvent(TraceLevel level, string subscriptionId, string appName, string functionName, string eventName, string source, string details, string summary, Exception exception = null)
+                public void LogFunctionTraceEvent(TraceLevel level, string subscriptionId, string appName, string functionName, string eventName, string source, string details, string summary)
                 {
                     var elements = new string[] { level.ToString(), subscriptionId, appName, functionName, eventName, source, summary, details };
                     string evt = string.Join(" ", elements.Where(p => !string.IsNullOrEmpty(p)));

test/WebJobs.Script.Tests/Diagnostics/SystemTraceWriterTests.cs

@@ -47,7 +47,7 @@ public void Trace_Verbose_EmitsExpectedEvent()
             traceEvent.Properties.Add(ScriptConstants.TracePropertyFunctionNameKey, functionName);
             traceEvent.Properties.Add(ScriptConstants.TracePropertyEventDetailsKey, details);
 
-            _mockEventGenerator.Setup(p => p.LogFunctionTraceEvent(TraceLevel.Verbose, _subscriptionId, _websiteName, functionName, eventName, traceEvent.Source, details, traceEvent.Message, null));
+            _mockEventGenerator.Setup(p => p.LogFunctionTraceEvent(TraceLevel.Verbose, _subscriptionId, _websiteName, functionName, eventName, traceEvent.Source, details, traceEvent.Message));
 
             _traceWriter.Trace(traceEvent);
 
@@ -67,7 +67,34 @@ public void Trace_Error_EmitsExpectedEvent()
             traceEvent.Properties.Add(ScriptConstants.TracePropertyEventNameKey, eventName);
             traceEvent.Properties.Add(ScriptConstants.TracePropertyFunctionNameKey, functionName);
 
-            _mockEventGenerator.Setup(p => p.LogFunctionTraceEvent(TraceLevel.Error, _subscriptionId, _websiteName, functionName, eventName, traceEvent.Source, string.Empty, traceEvent.Message, ex));
+            _mockEventGenerator.Setup(p => p.LogFunctionTraceEvent(TraceLevel.Error, _subscriptionId, _websiteName, functionName, eventName, traceEvent.Source, ex.ToFormattedString(), traceEvent.Message));
+
+            _traceWriter.Trace(traceEvent);
+
+            _mockEventGenerator.VerifyAll();
+        }
+
+        [Fact]
+        public void Trace_Sanitizes()
+        {
+            string secretReplacement = "[Hidden Credential]";
+            string secretString = "{ \"AzureWebJobsStorage\": \"DefaultEndpointsProtocol=https;AccountName=testAccount1;AccountKey=mykey1;EndpointSuffix=core.windows.net\", \"AnotherKey\": \"AnotherValue\" }";
+            string sanitizedString = $"{{ \"AzureWebJobsStorage\": \"{secretReplacement}\", \"AnotherKey\": \"AnotherValue\" }}";
+
+            string secretException = "Invalid string: \"DefaultEndpointsProtocol=https;AccountName=testaccount;AccountKey=testkey;BlobEndpoint=https://testaccount.blob.core.windows.net/;QueueEndpoint=https://testaccount.queue.core.windows.net/;TableEndpoint=https://testaccount.table.core.windows.net/;FileEndpoint=https://testaccount.file.core.windows.net/;\"";
+            string sanitizedException = $"System.InvalidOperationException : Invalid string: \"{secretReplacement}\"";
+
+            string functionName = "TestFunction";
+            string eventName = "TestEvent";
+
+            Exception ex = new InvalidOperationException(secretException);
+
+            TraceEvent traceEvent = new TraceEvent(TraceLevel.Error, secretString, "TestSource", ex);
+
+            traceEvent.Properties.Add(ScriptConstants.TracePropertyEventNameKey, eventName);
+            traceEvent.Properties.Add(ScriptConstants.TracePropertyFunctionNameKey, functionName);
+
+            _mockEventGenerator.Setup(p => p.LogFunctionTraceEvent(TraceLevel.Error, _subscriptionId, _websiteName, functionName, eventName, traceEvent.Source, sanitizedException, sanitizedString));
 
             _traceWriter.Trace(traceEvent);
 

test/WebJobs.Script.Tests/ScriptHostTests.cs

@@ -1015,7 +1015,7 @@ public void Initialize_AppliesLoggerConfig()
         }
 
         [Fact]
-        public void Initialize_LogsHostJson_IfParseError()
+        public void Initialize_LogsException_IfParseError()
         {
             TestLoggerProvider loggerProvider = null;
             var loggerFactoryHookMock = new Mock<ILoggerFactoryBuilder>(MockBehavior.Strict);
@@ -1048,11 +1048,9 @@ public void Initialize_LogsHostJson_IfParseError()
 
             // We should have gotten sone messages.
             var logger = loggerProvider.CreatedLoggers.Single();
-            Assert.Equal(3, logger.LogMessages.Count);
-            Assert.StartsWith("Reading host configuration file", logger.LogMessages[0].FormattedMessage);
-            Assert.StartsWith("Host configuration file read", logger.LogMessages[1].FormattedMessage);
-            Assert.StartsWith("ScriptHost initialization failed", logger.LogMessages[2].FormattedMessage);
-            Assert.Equal("Unable to parse host.json file.", logger.LogMessages[2].Exception.Message);
+            Assert.Equal(2, logger.LogMessages.Count);
+            Assert.StartsWith("ScriptHost initialization failed", logger.LogMessages[1].FormattedMessage);
+            Assert.Equal("Unable to parse host.json file.", logger.LogMessages[1].Exception.Message);
         }
 
         [Fact]