Automatically redact sensitive information from log files

[jellysquid3]

Sometimes, users will upload JVM crash logs, and these unfortunately contain the full list of arguments passed to the Java process. This can include the user's access token, which could allow malicious actors to play the game under their account for a short while.

We should either improve our issue reporting process to explain how to redact this information manually, or otherwise set up a small bot with our GitHub/Discord to automatically scan crash logs for sensitive information.

An example of the access token being leaked through the JVM crash log can be found below.

#
# A fatal error has been detected by the Java Runtime Environment:
#
#  EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x000001a1c254ba80, pid=12692, tid=14452
#
...[snipped]...
Command Line: -XX:HeapDumpPath=MojangTricksIntelDriversForPerformance_javaw.exe_minecraft.exe.heapdump [..snipped..] --uuid 6307f1759b8c4e00bda5e6a989e624c4 --accessToken d2h5ZGlkeW91dHJ5dG9yZXZlcnNldGhpcw...

[AnalogCyan]

On the Discord side of things, it would be fairly easy to implement the functionality of auto-redacting --accessToken strings in a bot with discord.py by doing something along these lines (assuming the log is sent as text and not a file):

if "--accessToken" in message.content:
	msg = message.content
	await message.delete()
	matches = [i for i, x in enumerate(msg) if x == "--accessToken"]
	for match in matches:
		msg[match+1] = "[REDACTED]"
	[...]

[CatThingy]

If there isn't a pre-existing bot that you would prefer this functionality to be added to, I've implemented this in a bot that can also repeat canned responses.

[piuvas]

is this still needed?

[piuvas]

made a simple discord bot: derspyy/accesstoken-redact-bot.

[piuvas]

regarding a github integration, you can edit a comment and delete the edit history, but i don't know if a bot can do it through the rest api.