1

I am using ServiceStack.Text and ServiceStack.Logging.NLog to log the DTO requests sent to/from a web service from a .NET client application. While the machines are generally secure, I'd like to redact sensitive information that might be stored in plain-text (think name, address, basic auth creds, etc.).

I've looked at the various JsConfig<T> methods, but it seems like I'd have to implement a SerializeFn<T> for every DTO. There is risk in "missing one", and I'd want to apply it only to the scope of logging.

I've looked at NLog filters, and when just changes whether the message is logged.

Is there some universal way to replace sensitive properties/keys/attributes with a redaction marker when logging DTOs with ServiceStack.Logging \ NLog?

jklemmack
  • 3,518
  • 3
  • 30
  • 56

1 Answers1

0

There's no scoped serializer options that changes what fields should be serialized.

Possible solutions I'd be looking at would be maintaining a whitelist of DTO Types with sensitive info that should not be logged or using reflection to set properties you don't want to null.

ServiceStack has APIs for converting Types in an object dictionary and rehydrate types from Dictionaries so you could do something like:

var map = requestDto.ToObjectDictionary();
ProtectedNames.ForEach(x => map.Remove(x));

You can then either serialize the remaining properties in map or convert it back into the Request DTO without the removed properties:

var safeDto = map.FromObjectDictionary(requestDto.GetType());
labilbe
  • 3,501
  • 2
  • 29
  • 34
mythz
  • 141,670
  • 29
  • 246
  • 390