Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[A9] - Security Logging and Monitoring Failures - Solution #542

Closed
wants to merge 9 commits into from
Closed

[A9] - Security Logging and Monitoring Failures - Solution #542

wants to merge 9 commits into from

Conversation

henriporto
Copy link
Contributor

This solution refers to which of the apps?

A9 - Security Logging and Monitoring Failures - Python - GamesIrados.com

What did you do to mitigate the vulnerability?

Implemented logging.

Did you test your changes? What commands did you run?

Yes:
Captura de Tela 2022-04-08 às 11 34 14

@lgtm-com
Copy link

lgtm-com bot commented Apr 8, 2022

This pull request introduces 1 alert and fixes 2 when merging a389795 into 60e5cf1 - view on LGTM.com

new alerts:

  • 1 for Clear-text logging of sensitive information

fixed alerts:

  • 1 for Testing equality to None
  • 1 for Unused import

@henriporto henriporto changed the title A9 - Security Logging and Monitoring Failures - Solution [A9] - Security Logging and Monitoring Failures - Solution Apr 12, 2022
gustavocovas
gustavocovas requested changes Apr 18, 2022
View reviewed changes
Copy link
Contributor

@gustavocovas gustavocovas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very good, @henriporto! You covered all the main logging points. I just left some comments regarding some information that would be nice to have at each logging message

owasp-top10-2021-apps/a9/games-irados/app/routes.py Outdated
@@ -27,7 +27,8 @@
bootstrap = Bootstrap(app)

app.config.from_pyfile('config.py')

logging.basicConfig(filename='log.log', level=logging.DEBUG, format=f'%(asctime)s %(levelname)s %(name)s %(threadName)s : %(message)s')
#logging.basicConfig(level=logging.DEBUG, format=f'%(asctime)s %(levelname)s %(name)s %(threadName)s : %(message)s', handlers=[logging.FileHandler("ola_povo.log"),logging.StreamHandler()])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Commenting code is a quick way to test different implementations, but it is not a good practice to maintain it after we finish the development. Could you remove the comment?
Why are we using level=logging.DEBUG? All the calls seems to be with logger.info. Using DEBUG could pollute the output (maybe some library will log debug messages?)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Logs were wrongly configured. I fixed the settings in this new commit! thanks for the feedback!!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, the logging points and messages seems very good now!

However, I would still recommend to use stdout directly instead of a info.log file. Could you take a look at that?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed!
Captura de Tela 2022-05-02 às 12 53 40

owasp-top10-2021-apps/a9/games-irados/app/routes.py Outdated Show resolved Hide resolved
owasp-top10-2021-apps/a9/games-irados/app/routes.py Outdated Show resolved Hide resolved
owasp-top10-2021-apps/a9/games-irados/app/routes.py Outdated Show resolved Hide resolved
owasp-top10-2021-apps/a9/games-irados/app/routes.py Show resolved Hide resolved
@gustavocovas gustavocovas self-assigned this Apr 18, 2022
@lgtm-com
Copy link

lgtm-com bot commented Apr 18, 2022

This pull request introduces 1 alert and fixes 3 when merging d2521b2 into 6e036c0 - view on LGTM.com

new alerts:

  • 1 for Clear-text logging of sensitive information

fixed alerts:

  • 2 for Unused import
  • 1 for Testing equality to None

@lgtm-com
Copy link

lgtm-com bot commented Apr 18, 2022

This pull request introduces 2 alerts and fixes 3 when merging 8bf20cf into 6e036c0 - view on LGTM.com

new alerts:

  • 1 for Mismatch in multiple assignment
  • 1 for Clear-text logging of sensitive information

fixed alerts:

  • 2 for Unused import
  • 1 for Testing equality to None

@lgtm-com
Copy link

lgtm-com bot commented May 2, 2022

This pull request introduces 2 alerts and fixes 3 when merging 073a8c3 into 6e036c0 - view on LGTM.com

new alerts:

  • 1 for Mismatch in multiple assignment
  • 1 for Clear-text logging of sensitive information

fixed alerts:

  • 2 for Unused import
  • 1 for Testing equality to None

@henriporto henriporto closed this May 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gustavocovas gustavocovas Awaiting requested review from gustavocovas

Assignees

@gustavocovas gustavocovas

Labels
A10-OWASP-2017 GamesIrados.com
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@henriporto @gustavocovas