Sulkta-Coop/straw
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

vc=37 (rust): scrub PII from strawcore info-logs

Browse source 
CVE round-2 HIGH-2: android_logger is configured at info-level in
release builds, so log::info!('strawcore::search query={}', query)
emits the user's actual search query to logcat. LogDump.scrubLine's
regex only catches googlevideo URLs + signed params — bare search
text rides through into a Settings → Export Logs share-sheet
attachment intact. Same for channel_info / stream_info URLs.

Replaced the value-bearing logs with shape-only (query_len /
input_len). The shape is enough to debug 'why did the search
return empty?' without the privacy hit.
This commit is contained in:
Kayos 2026-05-25 14:11:00 -07:00
parent ec9d2f37af
commit 780bb6152c
3 changed files with 8 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

2
rust/strawcore/src/channel.rs
View file

@ -23,7 +23,7 @@ pub struct ChannelInfo {
#[uniffi::export(async_runtime = "tokio")]
pub async fn channel_info(input: String) -> Result<ChannelInfo, StrawcoreError> {
log::info!("strawcore::channel_info input={}", input);
log::info!("strawcore::channel_info input_len={}", input.len());
let identifier = resolve_channel_identifier(&input)?;
let core = tokio::task::spawn_blocking(move || core_channel_info(identifier))
.await

7
rust/strawcore/src/search.rs
View file

@ -54,7 +54,12 @@ pub(crate) fn from_core(item: StreamInfoItem) -> SearchItem {
#[uniffi::export(async_runtime = "tokio")]
pub async fn search(query: String) -> Result<Vec<SearchItem>, StrawcoreError> {
log::info!("strawcore::search query={}", query);
// Don't log the query itself — searches are PII (sometimes
// names, sometimes embarrassing) and android_logger emits at
// info-level in release builds, which means they'd ride the
// Settings → Export Logs path straight into a user's chat. Log
// shape, not content. vc=36 audit CVE HIGH-2.
log::info!("strawcore::search query_len={}", query.len());
let result = tokio::task::spawn_blocking(move || {
search_extractor::search(&query, SearchFilter::Videos)
})

2
rust/strawcore/src/stream.rs
View file

@ -57,7 +57,7 @@ pub struct AudioStreamItem {
#[uniffi::export(async_runtime = "tokio")]
pub async fn stream_info(input: String) -> Result<StreamInfo, StrawcoreError> {
log::info!("strawcore::stream_info input={}", input);
log::info!("strawcore::stream_info input_len={}", input.len());
let video_id = resolve_video_id(&input)?;
let video_id_for_call = video_id.clone();
let core = tokio::task::spawn_blocking(move || core_stream_info(&video_id_for_call))