Sulkta-OSS/straw
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

vc=37 (rust): scrub PII from strawcore info-logs

Browse source 
CVE round-2 HIGH-2: android_logger is configured at info-level in
release builds, so log::info!('strawcore::search query={}', query)
emits the user's actual search query to logcat. LogDump.scrubLine's
regex only catches googlevideo URLs + signed params — bare search
text rides through into a Settings → Export Logs share-sheet
attachment intact. Same for channel_info / stream_info URLs.

Replaced the value-bearing logs with shape-only (query_len /
input_len). The shape is enough to debug 'why did the search
return empty?' without the privacy hit.
This commit is contained in:
Kayos 2026-05-25 14:11:00 -07:00
parent ec9d2f37af
commit 780bb6152c
3 changed files with 8 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

2
rust/strawcore/src/stream.rs
View file

@ -57,7 +57,7 @@ pub struct AudioStreamItem {
#[uniffi::export(async_runtime = "tokio")]
pub async fn stream_info(input: String) -> Result<StreamInfo, StrawcoreError> {
log::info!("strawcore::stream_info input={}", input);
log::info!("strawcore::stream_info input_len={}", input.len());
let video_id = resolve_video_id(&input)?;
let video_id_for_call = video_id.clone();
let core = tokio::task::spawn_blocking(move || core_stream_info(&video_id_for_call))