We noticed a case where potentially sensitive or secret data is being printed out the Vault logs in the case where the request is malformed. More specifically, if you issue a create/update request and one of the fields in this request is from an incorrect type (for example string instead of a map or vice-versa), the parsing of the request fails (as it should), and the log line that is associated with this error contained the actual content of the field.
This means that if a user makes a mistake while creating (or updating) a secret, their secret may be revealed to anyone who has access to the vault logs.
Here is a simple example that demonstrates this:
If you try to send a request to KV v2 Create or Update Secret API with this body:
{"data": "SOMETHING-VERY-SECRET"}
(data should be a map, but I deliberately made a mistake and put in a string with the secret value)
You get this line in the log:
2022-01-03T12:59:38.900+0200 [ERROR] core: failed to run existence check: error="error converting input SOMETHING-VERY-SECRET for field \"data\": '' expected a map, got 'string'"
Our actual case is more complex, as instead of KV, we are using custom engines that we develop ourselves, but the issue seems to be the same. We first noted this behavior in Vault 1.3, but it looks like it is the same also in 1.9.2.
Is this expected, and if so, is there any way we can avoid this? Is there some configuration option, or some way to mark some fields or paths in a way that will prevent their field values from getting to the logs when the request is malformed?