Mask out username from events #81
Comments
|
This should be in theory be being done by https://github.com/microsoft/vscode-extension-telemetry/blob/main/src/common/baseTelemetryReporter.ts#L180-L261 can you give an example of a property value that is avoiding this? |
|
@nturinski / @alexweininger / @wwlorey Do you have an example of usernames leaking through the above linked code? In Docker's case, that code would have caught the items that got through (we didn't have that a high enough version of @lramos15 It's a contrived example but I could see an error message that says something like "User bwateratmsft does not have permission to access foo", which isn't a file path, email, or secret so I think it gets through the above code, unless I'm missing something. The function of the code here and here is to mask that "bwateratmsft" (however it's being to aggressive). |
|
This is a tough one because that user string could be anywhere and as you saw with smaller user strings it can even be in common strings within the data. |
|
I agree. In microsoft/vscode-azuretools#1025 our plan was basically to not mask usernames either 3 or 4 (haven't decided which yet) or less characters. It's definitely possible to still mask something we don't need to, even with that in place, but it should become exponentially less common. Otherwise, |
The username (i.e. literally the OS username) could be considered PII, and should be masked out.
In addition to #80, this would allow us to remove our custom masking logic from https://github.com/microsoft/vscode-azuretools/blob/main/ui/src/masking.ts.
We currently have issues in the above file (microsoft/vscode-azuretools#1024), so it's not quite right to filter out the username unconditionally--maybe,
/\bMyUsername\b/ig?The text was updated successfully, but these errors were encountered: