# OAuth2客户端密钥在应用程序日志中暴露：敏感凭据写入日志文件

- **ID:** `security/oauth2-client-secret-exposed-in-log`
- **领域:** security
- **类别:** config_error
- **错误码:** `SEC-2001`
- **验证级别:** ai_generated
- **修复率:** 88%

## 根因

OAuth2客户端密钥作为请求或配置转储的一部分被无意中记录，将凭据暴露给任何有权访问日志文件的人。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| Spring Boot 3.1 | active | — | — |
| Log4j 2.20 | active | — | — |
| Python logging 0.5 | active | — | — |
| Node.js Winston 3.11 | active | — | — |

## 解决方案

1. ```
   Configure a logging filter to redact sensitive fields. For Log4j2, use a RegexFilter: `<RegexFilter regex=".*client_secret=[^&]+" onMatch="DENY" onMismatch="NEUTRAL"/>`
   ```
2. ```
   Use environment variables or a secret manager (e.g., HashiCorp Vault) to inject the secret at runtime, and ensure the application never logs the raw value. In Spring Boot: `@Value("${client.secret}")` and avoid printing it.
   ```

## 无效尝试

- **** — Simply rotating the secret without fixing the logging configuration means the new secret will also be logged, perpetuating the exposure. (60% 失败率)
- **** — Adding the secret to a log filter but only for one log level (e.g., ERROR) still exposes it if the application logs at that level, and doesn't cover all loggers. (35% 失败率)
- **** — Some try to mask the secret in logs by truncating it, but if the full secret appears elsewhere (e.g., in a stack trace), the truncation is ineffective. (25% 失败率)