RSS Feed

Lisp Project of the Day

secret-values

You can support this project by donating at:

Donate using PatreonDonate using Liberapay

Or see the list of project sponsors.

secret-valuessecurity

Documentation🥺
Docstrings😀
Tests 🥺
Examples🥺
RepositoryActivity🥺
CI 🥺

This library can be useful for anybody who is writing services which logs their errors with backtraces. It will protect you from leaking sensitive data like passwords and tokens.

For example, let's pretend we have some code which authenticates to a database with a password. At some moment and error can happen and when you log the backtrace, the password will be logged as well:

POFTHEDAY> (defun authenticate (password)
             (format t "Authenticating with ~A"
                     password)
             (sb-debug:print-backtrace :count 3))

POFTHEDAY> (defun bar (password)
             (authenticate password))

POFTHEDAY> (bar "The Secret Password")

Authenticating with The Secret Password

Backtrace for: #<SB-THREAD:THREAD "sly-channel-1-mrepl-remote-1" RUNNING {1003692013}>
0: (AUTHENTICATE "The Secret Password")
1: (BAR "The Secret Password")
2: (SB-INT:SIMPLE-EVAL-IN-LEXENV (BAR "The Secret Password") #<NULL-LEXENV>)

The secret-values allows to wrap the secret value into the object and retrieve the real value as needed.

POFTHEDAY> (secret-values:conceal-value "The Secret Password" :name "password")
#<SECRET-VALUES:SECRET-VALUE password {100450B623}>

POFTHEDAY> (secret-values:reveal-value *)
"The Secret Password"

Here how we can use it in our example. Pay attention to the backtrace. Now it does not contain the password and such backtrace can be written into the file or sent for diagnostic to the developer:

POFTHEDAY> (defun authenticate (password)
             (format t "Authenticating with ~A"
                     (secret-values:reveal-value password))
             (sb-debug:print-backtrace :count 3))

POFTHEDAY> (let ((pass (secret-values:conceal-value "The Secret Password")))
             (bar pass))

Authenticating with The Secret Password

Backtrace for: #<SB-THREAD:THREAD "sly-channel-1-mrepl-remote-1" RUNNING {1003692013}>
0: (AUTHENTICATE #<SECRET-VALUES:SECRET-VALUE  {10043ABB23}>)
1: (BAR #<SECRET-VALUES:SECRET-VALUE  {10043ABB23}>)
2: ((LAMBDA ()))

I definitely will use it! And you should too!

By the way, does somebody know something about the author Thomas Bakketun and his company Copyleft? Seems they are using the Common Lisp in their stack.


Brought to you by 40Ants under Creative Commons License