asf-tooling opened a new issue, #1059:
URL: https://github.com/apache/tooling-trusted-releases/issues/1059
**ASVS Level(s):** L2-only
**Description:**
### Summary
Complete email messages—including headers (sender, recipient), subject, and
full body text—are logged at INFO level. Email bodies contain vote details,
release candidate information, user full names, and mailing list addresses.
When structured logs are forwarded to centralized logging platforms (common in
production environments), sensitive communication content reaches
infrastructure that may be managed by different teams with broader access,
stored in third-party logging services (CloudWatch, Datadog, Splunk, ELK),
subject to different retention and access policies, or potentially exposed
through log analysis tools or SIEM systems.
### Details
The issue exists in `atr/mail.py` lines 58 and 84. Full email content
including body text is logged at INFO level, which is typically forwarded to
centralized logging systems.
### Recommended Remediation
Replace full email content logging with metadata-only logging:
```python
# In atr/mail.py, replace lines 58 and 84
# Instead of:
# log.info("Sending email", msg=msg_data)
# Use:
log.info(
"Sending email",
recipient=msg_data.email_recipient,
subject=msg_data.subject,
message_id=msg_data.message_id,
body_length=len(msg_data.body)
)
# Alternative with domain-only logging:
log.info(
"Sending email",
recipient_domain=msg_data.email_recipient.split('@')[1],
subject_prefix=msg_data.subject.split(':')[0] if ':' in msg_data.subject
else msg_data.subject[:20],
body_length=len(msg_data.body),
message_id=msg_data.message_id
)
```
Do NOT log the body content at INFO level. If full content logging is needed
for debugging, use DEBUG level and ensure DEBUG logs are not forwarded to
centralized systems in production.
### Acceptance Criteria
- [ ] Full email body logging removed from INFO level
- [ ] Metadata-only logging implemented (recipient, subject, message_id)
- [ ] Unit tests verify body content is not in log output
- [ ] Integration tests verify logging behavior
- [ ] Documentation updated with logging policy
- [ ] Production logging configuration verified to not forward DEBUG logs
### References
- Source reports: L2:14.2.3.md, L2:14.2.4.md
- Related findings: None
- ASVS sections: 14.2.3, 14.2.4
- CWE: CWE-532
### Priority
Medium
---
---
**Related issue:**
https://github.com/apache/tooling-trusted-releases/issues/1033
---
**Triage notes:** discussion - per another issue we will decide how to
handle this, related to
https://github.com/apache/tooling-trusted-releases/issues/1033
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
