C# library outputs secret information to the ASP.NET Kestrel log file

[dmtooke-imm]

Steps To Reproduce

I'm using BWS to store database connections strings for an ASP.NET MVC application. In a simple example, this can be done like so:

protected override void OnConfiguring(DbContextOptionsBuilder optionsBuilder)
{
    if (!optionsBuilder.IsConfigured)
    {
	var accessToken = Environment.GetEnvironmentVariable("MY_TOKEN")!;
	var secretId = Guid.Parse(Environment.GetEnvironmentVariable("MY_SECRET")!)!;
	var bitwardenClient = new BitwardenClient();
	bitwardenClient.AccessTokenLogin(accessToken);
	var secretResponse = bitwardenClient.Secrets.Get(secretId);
    	string _connectionString = secretResponse.Value;
    	optionsBuilder.UseMySQL(_connectionString);
    }
}

At runtime, BWS is logging the secret data to the Kestrel log:

2024-06-18 09:41:20 {"accessTokenLogin":{"accessToken":"REDACTED"}}
2024-06-18 09:41:20 {"secrets":{"get":{"id":"REDACTED"}}}

Expected Result

That secret information would not be logged

Actual Result

Secret information is logged

Screenshots or Videos

No response

Additional Context

.NET 8

Operating System

Windows, Linux

Operating System Version

Windows 11, Linux Docker containers

Build Version

0.0.1-alpha

Issue Tracking Info

• I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

[coltonhurst]

Hey @dmtooke-imm, thanks for reporting this. We have verified this logging is no longer happening on the latest builds of the SDK. We will need to update our C# NuGet package though 🙂

I'll come back and update this thread once this happens.

[dmtooke-imm]

Great, thanks. It's nice library and I hope it becomes fully supported and more widely advertised soon.