Skip to content

Commit

Permalink
fix(logging): avoid logging sensitive param values (#31522)
Browse files Browse the repository at this point in the history
Summary:
We noticed that by default when the RootView / ReactView calls runApplication, we're logging at an info level any props ("params") passed to that component. In our case, one of these props was sensitive in nature, causing the value to leak out in logs for our release builds. This is especially problematic on Android where device logs can be accessed by any app which requests that permission.

This is probably more of a concern for brownfield react-native apps, but it seems worthwhile locking this down in non-dev builds.

## Changelog

<!-- Help reviewers and the release process by writing your own changelog entry. For an example, see:
https://github.com/facebook/react-native/wiki/Changelog
-->

[General] [Security] - Avoiding logging root view params outside of dev / debug mode builds

Pull Request resolved: #31522

Test Plan: * build app in release mode on Android and verified I could not see: `Running "my app" with { sensitive: 'thing' }` in logcat in Android Studio with a tethered device

Reviewed By: yungsters

Differential Revision: D31064902

Pulled By: charlesbdudley

fbshipit-source-id: 8b10a46d92a9ec44243dd74384299087260c7d83
  • Loading branch information
Wes Johnson authored and facebook-github-bot committed Oct 7, 2021
1 parent 7bbf549 commit e612d3a
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions Libraries/ReactNative/AppRegistry.js
Original file line number Diff line number Diff line change
Expand Up @@ -189,8 +189,10 @@ const AppRegistry = {
displayMode?: number,
): void {
if (appKey !== 'LogBox') {
const msg =
'Running "' + appKey + '" with ' + JSON.stringify(appParameters);
const logParams = __DEV__
? '" with ' + JSON.stringify(appParameters)
: '';
const msg = 'Running "' + appKey + logParams;
infoLog(msg);
BugReporting.addSource(
'AppRegistry.runApplication' + runCount++,
Expand Down

0 comments on commit e612d3a

Please sign in to comment.