[protobuf] Proposal: a mechanism to deal with sensitive/redacted fields in string output

Thu, 16 Feb 2017 13:45:39 -0800 

There are many ways that protocol buffers might be stringified into logs, 
accidentally or on purpose, printed in stack traces, etc. The built-in 
behavior stringifies the entire protobuf recursively, including all field 
data.

At Square, we deal with payments, and often have data of varying 
sensitivity in protobuf fields, which we'd like to be elided from 
stringified output.

We use an internal fork of protoc to handle a custom field option, 
"redacted", and have also patched the stringification code to print 
"[REDACTED]" for those fields. We do the same in Go, and in the C 
implementation (for Ruby).

Last year, we chatted with the protobuf team, and they were sympathetic to 
our use case (in fact, they mentioned that the part of Google that deals 
with payments has something similar internally: I think that's where the 
"sensitive" name came from). I'd like to get that discussion rolling again.

We'd like to see one of the following happen (in decreasing order of 
awesomeness for us):

   - upstreaming of the "redacted" field option, and modification of the 
   runtimes to elide redacted fields when stringifying
   - introduction of generic interception points to selectively override 
   default stringification behavior in Java, Go, and Ruby (at least).
   - addition of a "SerializeToString" or equivalent method, and removal of 
   default full-stringification behavior of the toString (Java), String (Go), 
   etc. - that way you only serialize on purpose
      - many tests rely on string comparison, even though nobody is 
      supposed to rely on it being stable - perhaps the default behavior could 
      compute a hash?
   
Josh Humpries (who now works at Fullstory) created a proposal 
<https://github.com/google/protobuf/issues/1160> a while back, but it 
didn't go anywhere. I reached out to the protobuf team, and Damien Neil 
suggested that this group was the appropriate place to propose such changes.

Bikeshed away!

Zellyn

-- 
You received this message because you are subscribed to the Google Groups 
"Protocol Buffers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to protobuf+unsubscr...@googlegroups.com.
To post to this group, send email to protobuf@googlegroups.com.
Visit this group at https://groups.google.com/group/protobuf.
For more options, visit https://groups.google.com/d/optout.

Reply via email to