[NET8 Log Reduction] Detect direct logging of reducted information
LiorBanai opened this issue · comments
Is your feature request related to a problem? Please describe.
in NET8 Microsoft added recution capabilites for logging exampel: https://andrewlock.net/redacting-sensitive-data-with-microsoft-extensions-compliance/
Describe the solution you'd like
I would like the have analyzer that detects direct logging of proeprties that uses reduction attributes.
Describe alternatives you've considered
There could be a step during compilation but if it i spossible to detect it as soon as possible it wloud be great.
Additional context
N/A
Greate library. I"m using it in all off my projects
Can you provide a small sample of what should be detected?
let say I do not want to log patient infomation in logs (but still have log patient data) like:
public partial class PatientInfo
{
[PiiData] public string PatientId { get; set; }
public ulong RecordId { get; set; } //the record Id in the backend database
[PiiData] public string FirstName { get; set; }
[PiiData] public string MiddleName { get; set; }
[PiiData] public string LastName { get; set; }
public DateTimeOffset? ScheduledDate { get; set; } //UTC value
public string Department { get; set; }
public DateTimeOffset? DateOfBirth { get; set; } //UTC value
[PiiData] public string MedicalRecordNumber { get; set; } //Same as Patient ID
}
when using reduction and using the Log Properties attribute as:
[LoggerMessage(Level = LogLevel.Information, Message = "Patient Information {source}")]
public static partial void LogPatient(ILogger logger, string source, [LogProperties] PatientInfo patient);
the properties with [PiiData]
are reducted using:
services.AddRedaction(x =>
{
x.SetRedactor<StarRedactor>(new DataClassificationSet(DataTaxonomy.SensitiveData));
x.SetRedactor<StarRedactor>(new DataClassificationSet(DataTaxonomy.PiiData));
});
which in the log is shown as:
{
"@timestamp": "2023-12-22T18:18:26.0423257+02:00",
"log.level": "Information",
"message": "Patient Information method1",
"ecs.version": "8.6.0",
"labels": {
"MessageTemplate": "Patient Information {source}",
"patient.DateOfBirth": "24/06/1997 7:57:48 +00:00",
"patient.Department": "Surgery",
"patient.ScheduledDate": "21/12/2023 6:49:44 +02:00",
"patient.MedicalRecordNumber": "**************************************",
"patient.LastName": "**********************",
"patient.MiddleName": "************************",
"patient.FirstName": "**************************",
"patient.PatientId": "***********************"
}
}
but if I log direct properties like
Logger.LogInformation("Patient name: {name}", patient.FirstName);
that will be logged. I would like to get a warning when I try to log any PII information ( or any other reducted properties) like in the above line.
Something like: "FirstName is reducted log property. Consider using LogProperties attrtibute instead"
If I well understood, the new rule should detect the usage of any member (field, property, parameter) decorated with Microsoft.Extensions.Compliance.Classification.DataClassificationAttribute
// Report the second argument
logger.LogInformation("dummy", obj.PropertyDecoratedWithDataClassificationAttribute);
Thanks for the fast solution. I'll give it a try and update