Skip to content

Add log level between --verbose and --silent #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
johannes-huther opened this issue May 22, 2021 · 0 comments
Closed

Add log level between --verbose and --silent #21

johannes-huther opened this issue May 22, 2021 · 0 comments

Comments

@johannes-huther
Copy link
Contributor

johannes-huther commented May 22, 2021
edited
Loading

I'd like to have another log level between --verbose/ -v and --silent/ -s.

Currently, it is possible to pick between -v (default) and -s with the silent: [bool] parameter in the workflow config. Both of these options don't fit my needs:

  • --verbose/ -v logs a lot of information to the publically available workflow runs, that I do not want to be available including the domain of the webhook_url that I (as suggested in README.md) explicitly used a secret for. Also the resolved IP address is logged. This opens the door for DDoS attacks and makes hacking the machine one step easier.
  • --silent/ -s doesn't log anything (but I think this is obvious 😄), not even the response code.

Not specifying either -v or -s does log a minimal amount of output which would be enough for me to debug most issues, but little enough to not compromise on privacy.

Example output (on windows, but it should be similar on alpine): curl: (22) The requested URL returned error: 403 Forbidden. That's all.

I think the best way to address this issue is to add another option verbose: [bool] similar to silent: [bool].

Once again (as in #20), I do believe this new log level should be the default, but your opinion and that of other users might vary. Depending on your opinion the default value could be verbose: true or verbose: false.

Having the new log level as the default would also make fixing #22 way less critical.
@johannes-huther johannes-huther mentioned this issue May 22, 2021
Closed
@johannes-huther johannes-huther changed the title Add debug level between --verbose and --silent Add log level between --verbose and --silent May 22, 2021
johannes-huther added a commit to johannes-huther/webhook.sh that referenced this issue May 22, 2021
@johannes-huther
Add new log level (closes distributhor#21)
5b51ed3 
Adds a new log level between `--verbose` and `--silent`.

Defaults to the new log level. Added new option `verbose` that
re-enables verbose output (previous default) if set to `true`.

This allows easier debugging without entirely compromising on privacy
and security (domain, IP addresses etc.). For more details see distributhor#21.

This also reduces the propability of replay attacks as mentioned in distributhor#22,
as the signatures are no longer logged by default.
@johannes-huther johannes-huther mentioned this issue May 22, 2021
Merged
distributhor added a commit that referenced this issue Jun 5, 2021
@distributhor
Merge pull request #24 from johannes-huther/feature/new-log-level
dabbf0a 
Add new log level (closes #21)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@johannes-huther