From f42bc8a031b92586e2aacdad20108c6ea4ee2e8e Mon Sep 17 00:00:00 2001 From: Dane Everitt Date: Sun, 4 Feb 2018 13:31:39 -0600 Subject: [PATCH] Cleanup exception reporting, stop logging PDO exception stacks. PDOException stacks include the MySQL password for the connection attempt and many people do not realize this when providing logs. --- CHANGELOG.md | 3 +++ app/Exceptions/Handler.php | 29 ++++++++++++++++++++++++++--- config/app.php | 16 ++++++++++++++++ 3 files changed, 45 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9b0b31e4b..d5694a9e7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,9 @@ This project follows [Semantic Versioning](http://semver.org) guidelines. * `[rc.1]` — Fixed a bug that would occur when attempting to reset the daemon secret for a node. * `[rc.1]` — Fix exception thrown when attempting to modify an existing database host. +### Changed +* Changed logger to skip reporting stack-traces on PDO exceptions due to sensitive information being contained within. + ## v0.7.0-rc.1 (Derelict Dermodactylus) ### Fixed * `[beta.4]` — Fixes some bad search and replace action that happened previously and was throwing errors when validating user permissions. diff --git a/app/Exceptions/Handler.php b/app/Exceptions/Handler.php index 111d2a6b8..96a9c366b 100644 --- a/app/Exceptions/Handler.php +++ b/app/Exceptions/Handler.php @@ -3,6 +3,8 @@ namespace Pterodactyl\Exceptions; use Exception; +use PDOException; +use Psr\Log\LoggerInterface; use Illuminate\Auth\AuthenticationException; use Illuminate\Session\TokenMismatchException; use Illuminate\Validation\ValidationException; @@ -43,17 +45,35 @@ class Handler extends ExceptionHandler ]; /** - * Report or log an exception. + * Report or log an exception. Skips Laravel's internal reporter since we + * don't need or want the user information in our logs by default. * - * This is a great spot to send exceptions to Sentry, Bugsnag, etc. + * If you want to implement logging in a different format to integrate with + * services such as AWS Cloudwatch or other monitoring you can replace the + * contents of this function with a call to the parent reporter. * * @param \Exception $exception + * @return mixed * * @throws \Exception */ public function report(Exception $exception) { - parent::report($exception); + if (! config('app.exceptions.report_all', false) && $this->shouldntReport($exception)) { + return null; + } + + if (method_exists($exception, 'report')) { + return $exception->report(); + } + + try { + $logger = $this->container->make(LoggerInterface::class); + } catch (Exception $ex) { + throw $exception; + } + + return $logger->error($exception instanceof PDOException ? $exception->getMessage() : $exception); } /** @@ -71,6 +91,9 @@ class Handler extends ExceptionHandler } /** + * Transform a validation exception into a consistent format to be returned for + * calls to the API. + * * @param \Illuminate\Http\Request $request * @param \Illuminate\Validation\ValidationException $exception * @return \Illuminate\Http\JsonResponse diff --git a/config/app.php b/config/app.php index 9a346918c..03742244b 100644 --- a/config/app.php +++ b/config/app.php @@ -133,6 +133,22 @@ return [ 'log_level' => env('APP_LOG_LEVEL', 'info'), + /* + |-------------------------------------------------------------------------- + | Exception Reporter Configuration + |-------------------------------------------------------------------------- + | + | If you're encountering weird behavior with the Panel and no exceptions + | are being logged try changing the environment variable below to be true. + | This will override the default "don't report" behavior of the Panel and log + | all exceptions. This will be quite noisy. + | + */ + + 'exceptions' => [ + 'report_all' => env('APP_REPORT_ALL_EXCEPTIONS', false), + ], + /* |-------------------------------------------------------------------------- | Autoloaded Service Providers