OAuth2客户端密钥在应用程序日志中暴露:敏感凭据写入日志文件
OAuth2 client secret exposed in application log: sensitive credentials written to log file
ID: security/oauth2-client-secret-exposed-in-log
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| Spring Boot 3.1 | active | — | — | — |
| Log4j 2.20 | active | — | — | — |
| Python logging 0.5 | active | — | — | — |
| Node.js Winston 3.11 | active | — | — | — |
根因分析
OAuth2客户端密钥作为请求或配置转储的一部分被无意中记录,将凭据暴露给任何有权访问日志文件的人。
English
The OAuth2 client secret was inadvertently logged as part of a request or configuration dump, exposing the credential to anyone with access to log files.
官方文档
https://logging.apache.org/log4j/2.x/manual/filters.html解决方案
-
Configure a logging filter to redact sensitive fields. For Log4j2, use a RegexFilter: `<RegexFilter regex=".*client_secret=[^&]+" onMatch="DENY" onMismatch="NEUTRAL"/>`
-
Use environment variables or a secret manager (e.g., HashiCorp Vault) to inject the secret at runtime, and ensure the application never logs the raw value. In Spring Boot: `@Value("${client.secret}")` and avoid printing it.
无效尝试
常见但无效的做法:
-
60% 失败
Simply rotating the secret without fixing the logging configuration means the new secret will also be logged, perpetuating the exposure.
-
35% 失败
Adding the secret to a log filter but only for one log level (e.g., ERROR) still exposes it if the application logs at that level, and doesn't cover all loggers.
-
25% 失败
Some try to mask the secret in logs by truncating it, but if the full secret appears elsewhere (e.g., in a stack trace), the truncation is ineffective.