Skip to content

Commit c8e125b

Browse files
committed
fix(security): stop logging the package link (it contains the UPN key)
The package link ends with ?upn=<UPN_KEY>, where UPN is the AES key the worker uses to encrypt that user's data. Logging the link puts the decryption key in CloudWatch for the duration of the log group's retention window (30 days), which contradicts the README's stated security model ('encryption key must always remain on the client side, must never be stored on the server side'). Drop the link from the print; package_id alone is enough to correlate log lines.
1 parent f0d0e2f commit c8e125b

1 file changed

Lines changed: 4 additions & 1 deletion

File tree

src/tasks.py

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -919,7 +919,10 @@ def process_package(package_status_id, package_id, link, worker_name='regular_pr
919919
worker Lambda in production. worker_name lets premium-only work skip the
920920
regular-process path; we only run regular_process today.
921921
"""
922-
print(f'handling package {package_id} with link {link}')
922+
# Don't log the link itself: it ends with ?upn=<UPN>, which is the
923+
# AES key for that user's encrypted blob. Logging it would put the
924+
# decryption key in CloudWatch.
925+
print(f'handling package {package_id}')
923926
session = Session()
924927
package_status = session.query(PackageProcessStatus).filter(PackageProcessStatus.id == package_status_id).first()
925928
if not package_status:

0 commit comments

Comments
 (0)