util/log,*: enforce literal strings in non-formatting log calls #48048
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
This change is |
|
❌ The GitHub CI (Cockroach) build has failed on 4152210e. 🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is otan. |
|
❌ The GitHub CI (Cockroach) build has failed on 7e54778e. 🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is otan. |
irfansharif
approved these changes
Apr 28, 2020
There was a problem hiding this comment.
Reviewed 54 of 54 files at r1, 94 of 94 files at r2, 28 of 28 files at r3, 13 of 13 files at r4.
Reviewable status:complete! 1 of 0 LGTMs obtained (waiting on @knz)
pkg/kv/kvserver/raft_log_queue.go, line 600 at r3 (raw file):
if decision.ShouldTruncate() { if n := decision.NumNewRaftSnapshots(); log.V(1) || n > 0 && rlq.logSnapshots.ShouldProcess(timeutil.Now()) { // TODO(knz,tbg): check how much of this can be included in log.Safe().
All of it, same comment as #48040 (review).
pkg/sql/logictest/logic.go, line 2730 at r2 (raw file):
// "FAIL" marker when -show-sql is set. It also registers the error to the // failure counter. func (t *logicTest) Error(args ...interface{}) {
Perhaps add a TODO here to have logicTest.Error{f} and variants have the same kind of API as we're enforcing elsewhere now.
The previous signature of the non-formatting functions was as follows:
```go
log.Info(ctx context.Context, args ...interface{})
```
This patch changes it to be just:
```go
log.Info(ctx context.Context, msg string)
```
The variadic version is still available via the `...f()` alternative.
This change is motivated by a desire to separate PII-laden and
PII-free logging bits. This change creates an incentive for
users to call the `...f()` variant where the format string is
considered PII-free.
Release note: None
This patch changes the `fmtsafe` linter to enforce that caller of the non-formatting log functions (`log.Info`, `log.Warning` etc) always uses a literal string. This makes it possible to assume that the argument to those functions is PII-free and can be collected in PII-free logs and telemetry. Release note: None
This introduces the sorely-missed formatting variant `log.Shoutf`, and introduces the requirement that the first string argument to both `log.Shout` and `log.Shoutf` be a string literal and thus PII-free suitable for reporting. Release note: None
knz
commented
Apr 30, 2020
There was a problem hiding this comment.
Reviewable status:
pkg/kv/kvserver/raft_log_queue.go, line 600 at r3 (raw file):
Previously, irfansharif (irfan sharif) wrote…
All of it, same comment as #48040 (review).
Done.
pkg/sql/logictest/logic.go, line 2730 at r2 (raw file):
Previously, irfansharif (irfan sharif) wrote…
Perhaps add a TODO here to have
logicTest.Error{f}and variants have the same kind of API as we're enforcing elsewhere now.
Nah, this does not matter: the output from this never makes it to telemetry nor does it ever contain customer-sensitive data.
|
bors r=irfansharif |
Build succeeded |
knz
added a commit
to knz/cockroach
that referenced
this pull request
May 28, 2020
The `fmtsafe` linter added in cockroachdb#48040 cockroachdb#48048 was actually malfunctioning because it was not stripping the vendor prefix properly. This patch fixes it. Fixing the linter uncovered a range of defects throughout the remainder of the code, some benign and some outright bugs. Examples: ``` return pgerror.Wrapf(err, "while running %s", stmt) ``` (The second argument should be the pgcode, not the error string!) ``` return errors.Errorf(`no consistency checks are defined for %s` + gen.Meta().Name) ``` (Incompatible use of `%s` and string concatenation.) ``` errors.New(fmt.Sprintf("foo %s", blah)) ``` (Should use `Newf()` instead to capture more data in telemetry.) Release note: None
knz
added a commit
to knz/cockroach
that referenced
this pull request
Jun 1, 2020
The `fmtsafe` linter added in cockroachdb#48040 cockroachdb#48048 was actually malfunctioning because it was not stripping the vendor prefix properly. This patch fixes it. Fixing the linter uncovered a range of defects throughout the remainder of the code, some benign and some outright bugs. Examples: ``` return pgerror.Wrapf(err, "while running %s", stmt) ``` (The second argument should be the pgcode, not the error string!) ``` return errors.Errorf(`no consistency checks are defined for %s` + gen.Meta().Name) ``` (Incompatible use of `%s` and string concatenation.) ``` errors.New(fmt.Sprintf("foo %s", blah)) ``` (Should use `Newf()` instead to capture more data in telemetry.) Release note: None
craig bot
pushed a commit
that referenced
this pull request
Jun 1, 2020
49660: *: fix the `fmtsafe` linter and fix the fallout r=irfansharif a=knz Found while working on #49447. The `fmtsafe` linter added in #48040 #48048 was actually malfunctioning because it was not stripping the vendor prefix properly. This patch fixes it. Fixing the linter uncovered a range of defects throughout the remainder of the code, some benign and some outright bugs. Examples: ``` return pgerror.Wrapf(err, "while running %s", stmt) ``` (The second argument should be the pgcode, not the error string!) ``` return errors.Errorf(`no consistency checks are defined for %s` + gen.Meta().Name) ``` (Incompatible use of `%s` and string concatenation.) ``` errors.New(fmt.Sprintf("foo %s", blah)) ``` (Should use `Newf()` instead to capture more data in telemetry.) Release note: None Co-authored-by: Raphael 'kena' Poss <knz@thaumogen.net>
jbowens
pushed a commit
to jbowens/cockroach
that referenced
this pull request
Jun 1, 2020
The `fmtsafe` linter added in cockroachdb#48040 cockroachdb#48048 was actually malfunctioning because it was not stripping the vendor prefix properly. This patch fixes it. Fixing the linter uncovered a range of defects throughout the remainder of the code, some benign and some outright bugs. Examples: ``` return pgerror.Wrapf(err, "while running %s", stmt) ``` (The second argument should be the pgcode, not the error string!) ``` return errors.Errorf(`no consistency checks are defined for %s` + gen.Meta().Name) ``` (Incompatible use of `%s` and string concatenation.) ``` errors.New(fmt.Sprintf("foo %s", blah)) ``` (Should use `Newf()` instead to capture more data in telemetry.) Release note: None
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch changes the logging interface and the
fmtsafelinter to enforce that uses of the non-formatting log functions (log.Info,log.Warningetc) always uses a literal string.This makes it possible to assume that the argument to those functions
is PII-free and can be collected in PII-free logs and telemetry.