Onyx2406 commented on PR #3308: URL: https://github.com/apache/fineract/pull/3308#issuecomment-1636733902
Thanks for reviewing this PR in detail. I understand your viewpoint about this being a potential non-issue, considering the nature of the logging libraries being used in the project. You're correct that logback doesn't have the same log injection vulnerabilities as log4j and there is not any security impact due to this. You bring up an excellent point about using proper log placeholders instead of string concatenation. This is indeed a better practice as it leverages the library's built-in protection mechanisms, and I apologize for the oversight on my part. In regards to the logging level, your comment about using debug instead of warning to control what gets logged in production makes perfect sense. It's certainly a balance to strike between logging necessary data for debugging purposes and avoiding unnecessary bloating of log files. Also, your recommendation to migrate from java.util.logging.* to Slf4j is noted, and I agree that this could be a positive step for the project. I would like to implement the same. I will do a more thorough analysis and assure you that I will send such reports via email instead of opening PR's in the future. So, closing this for now. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
