Skip to content

chore(logging): Unify debug log formats by using common logger for legacycli #6071

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(logging): Unify debug log formats by using common logger for legacycli #6071

wants to merge 1 commit into from

Conversation

PeterSchafer
Copy link
Contributor

Pull Request Submission Checklist

  • Follows CONTRIBUTING guidelines
  • Commit messages
    are release-note ready, emphasizing
    what was changed, not how.
  • Includes detailed description of changes
  • Contains risk assessment (Low | Medium | High)
  • Highlights breaking API changes (if applicable)
  • Links to automated tests covering new functionality
  • Includes manual testing instructions (if necessary)
  • Updates relevant GitBook documentation (PR link: ___)
  • Includes product update to be announced in the next stable release notes

What does this PR do?

This PR re-uses the debug logger to log from the legacycli instead of logging itself to stderr. This way all logs go through our loggers and can be centrally configured.
The risk should be low.

Where should the reviewer start?

How should this be manually tested?

What's the product update that needs to be communicated to CLI users?

@snyk-io Snyk.io
Copy link

snyk-io bot commented Jul 25, 2025
edited
Loading

🎉 Snyk checks have passed. No issues have been found so far.

security/snyk check is complete. No issues have been found. (View Details)

license/snyk check is complete. No issues have been found. (View Details)

code/snyk check is complete. No issues have been found. (View Details)

@PeterSchafer PeterSchafer force-pushed the chore/stderr_logger branch from 62a2cc4 to 10fe5a5 Compare July 31, 2025 10:33
@PeterSchafer PeterSchafer marked this pull request as ready for review July 31, 2025 10:48
@PeterSchafer PeterSchafer requested a review from a team as a code owner July 31, 2025 10:48
cursor[bot]
cursor bot reviewed Jul 31, 2025
View reviewed changes
cliv2/pkg/basic_workflows/legacycli.go
} else {
cli.SetIoStreams(os.Stdin, os.Stdout, scrubbedStderr)
cli.SetIoStreams(os.Stdin, os.Stdout, stderr)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Removed Sensitive Data Scrubbing from Stderr

The commit removes the logging.NewScrubbingIoWriter functionality, which previously scrubbed sensitive information from all stderr output. This introduces a security vulnerability where sensitive data (e.g., API tokens, credentials) can now be leaked in stderr. Specifically, when debug mode is disabled, stderr writes directly to os.Stderr without scrubbing, and when debug is enabled, it uses debugLogger which may lack equivalent scrubbing. Furthermore, in non-stdio cases, stdout remains buffered while stderr becomes unbuffered, potentially causing out-of-order output.

Locations (1)
Fix in Cursor Fix in Web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@dotkas dotkas dotkas approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@PeterSchafer @dotkas