Skip to content

fix: [#946] stop WithContext from leaking framework context keys#1456

Merged
krishankumar01 merged 15 commits into
masterfrom
kkumar-gcc/#946
May 3, 2026
Merged

fix: [#946] stop WithContext from leaking framework context keys#1456
krishankumar01 merged 15 commits into
masterfrom
kkumar-gcc/#946

Conversation

@krishankumar01

@krishankumar01 krishankumar01 commented Apr 28, 2026

Copy link
Copy Markdown
Member

📑 Description

Closes goravel/goravel#946

facades.Log().WithContext(ctx) was reflecting over the context and dumping every key/value, leaking GoravelAuthJwt and any other framework-internal values into logs. This filters the dump instead of removing it (the propagation use case from #282 still works).

Behavior

  • Default exclude list (always applied): GoravelAuthJwt, goravel_http_client_name.
  • Optional logging.context.exclude config ([]any) extends it. Not added to the default config stub — opt-in via docs.

Matching rules

Two matchers run per key:

  • By identity (==): for non-string []any config entries, e.g. []any{middleware.PanicTest{}}.
  • By name: for default entries and string config entries. Compared against the key's shortName first, then its qualifiedName.

shortName(k) returns the underlying string for string-kind keys and %T (e.g. pkg.Type) for everything else. qualifiedName(k) returns the import-path-qualified type (github.com/.../pkg.Type).

Output labels

  • String-kind keys: their string content.
  • Struct sentinels: short pkg.Type form by default; if two keys would share the same short form (same package name in different modules), only the colliding ones escalate to fully-qualified import paths. Non-colliding keys keep the short form.

Notes

  • Uncomparable user entries (slice/map from a misconfig) are silently skipped instead of panicking.
  • Config is read once per handler via sync.Once; runtime hot-swaps are not picked up.

✅ Checks

  • Added test cases for my code

Copilot AI review requested due to automatic review settings April 28, 2026 15:16
@krishankumar01
krishankumar01 requested a review from a team as a code owner April 28, 2026 15:16
@krishankumar01
krishankumar01 marked this pull request as draft April 28, 2026 15:17
@codecov

codecov Bot commented Apr 28, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 94.11765% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.30%. Comparing base (c7f8e15) to head (f309615).
⚠️ Report is 1 commits behind head on master.

Files with missing lines Patch % Lines
log/logger/utils.go 95.29% 2 Missing and 2 partials ⚠️
log/logger/handler.go 88.23% 1 Missing and 1 partial ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##           master    #1456      +/-   ##
==========================================
+ Coverage   69.25%   69.30%   +0.04%     
==========================================
  Files         367      367              
  Lines       28890    28949      +59     
==========================================
+ Hits        20007    20062      +55     
- Misses       7985     7987       +2     
- Partials      898      900       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Stops WithContext log output from leaking framework-internal context keys by introducing default context-key filtering and an optional user-configurable exclude list.

Changes:

  • Added a default denylist of framework-internal context keys and a helper to filter context values before logging.
  • Updated IOHandler text/JSON formatting to use the filtered context map.
  • Expanded unit tests to verify default filtering behavior, typed-string key matching, and user-specified excludes.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
log/logger/utils.go Adds default excluded keys and filterContextValues; refactors context extraction.
log/logger/handler.go Centralizes context extraction + filtering via contextValues() and applies it to text/JSON output.
log/logger/utils_test.go Adds focused tests for context filtering behavior and key stringification.
log/logger/handler_test.go Adds integration-style handler tests to ensure filtering works in emitted logs.
log/writer_test.go Updates WithContext expectations to assert secrets/framework keys are not written.

Comment thread log/logger/utils.go Outdated
@krishankumar01
krishankumar01 marked this pull request as ready for review April 28, 2026 15:33
Copilot AI review requested due to automatic review settings April 28, 2026 15:33

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Comment thread log/logger/handler.go
Comment thread log/logger/utils.go Outdated
Comment thread log/logger/handler.go
Copilot AI review requested due to automatic review settings April 28, 2026 16:06

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Comment thread log/logger/handler.go
Copilot AI review requested due to automatic review settings April 28, 2026 16:30

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Comment thread log/logger/handler.go Outdated
Copilot AI review requested due to automatic review settings April 29, 2026 05:16

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Comment thread log/logger/utils.go Outdated
Comment thread log/logger/utils.go Outdated
Comment thread log/logger/utils.go Outdated
@krishankumar01
krishankumar01 requested a review from hwbrzzl April 29, 2026 05:43
Comment thread log/logger/utils_test.go Outdated
Comment thread log/logger/utils_test.go
utilsContextKey("locale"): "fr",
"request_id": "req-1",
},
expect: map[string]any{"request_id": "req-1"},

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The string locale is excepted as default, not utilsContextKey("locale"). Is it acceptable to log utilsContextKey("locale") here?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Filter matches by label form, not by exact type. So utilsContextKey("locale") produces label locale and hits the default. If you'd rather match by exact type, we'd need each framework package to export its sentinel.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, what's the meaning of each framework package to export its sentinel? For example?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the keys collide, we either expose the key type so values don't collide, or match by the string value. Say I set the locale key as a struct localeType. Since it's internal to the package, you can't pass []any{localeType{}} in the config to exclude it, so you'd have to use the value "locale" instead. So either we export LocalType, or we keep matching by value.
That said, in this case I don't think we need to filter locale by default. It's small and not noisy.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hence, are framework.utilsContextKey("locale") in the configuration and utilsContextKey("locale") in the framework internal different?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it’s the same value. If the framework exports the type, then creating framework.utilsContextKey("locale") in user config gives you the same key as the one used internally. Since both the type and value match, they compare equal and work fine as map keys.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested it with a custom key PanicTest in the middleware package and used it as an exclude key in the config.

image --- image

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense, thanks.

Comment thread log/logger/handler.go Outdated
Copilot AI review requested due to automatic review settings April 29, 2026 08:14

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated no new comments.

Copilot AI review requested due to automatic review settings April 29, 2026 09:48

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated no new comments.

@hwbrzzl hwbrzzl left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, please solve the conflict.

Copilot AI review requested due to automatic review settings May 3, 2026 03:38

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Comment thread log/logger/handler.go
Comment thread log/logger/utils.go
Comment thread log/logger/utils.go

@hwbrzzl hwbrzzl left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@krishankumar01
krishankumar01 merged commit f439f83 into master May 3, 2026
19 checks passed
@krishankumar01
krishankumar01 deleted the kkumar-gcc/#946 branch May 3, 2026 03:54
LinboLen added a commit to LinboLen/framework that referenced this pull request May 3, 2026
* origin/master:
  fix(ai): remove context from image response content (goravel#1462)
  feat(ai): support provider-managed files (goravel#1460)
  feat(ai): add image generation support (goravel#1461)
  fix: [goravel#946] stop WithContext from leaking framework context keys (goravel#1456)
  feat(ai): add attachment upload support (goravel#1459)
  feat(ai): add attachment helper subpackages (goravel#1458)
  feat(ai): switch OpenAI provider to responses API (goravel#1457)
  feat(ai): add attachment support (goravel#1455)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

facades.Log().WithContext dumps entire context.Context including internal framework values

3 participants