[GH-ISSUE #2018] Strip down data of a record context marked by SensitiveParameter #863

New issue

Open

opened 2026-03-04 03:01:42 +03:00 by kerem · 0 comments

kerem commented

2026-03-04 03:01:42 +03:00

Owner

Originally created by @theofidry on GitHub (Jan 20, 2026).
Original GitHub issue: https://github.com/Seldaek/monolog/issues/2018

Context

When logging, values passed as part of the record context may contain PHP objects that are normalized by a Monolog\Formatter\FormatterInterface:

$logger->log(
  'My message',
  context: ['message' => $message, ...$additionalContext],
);

Problem

Consider an object like this:

final readonly class UpdateUser {
  function __construct(
    public string $id,``
    #[SensitiveParameter]
    public string $mySecretUrl,
  ) {}
}

Since PHP 8.2, #[SensitiveParameter] prevents UpdateUser::$mySecretUrl from appearing in stack traces. However, when such an object is passed as part of a log record context, this attribute is not respected and the sensitive value is still written to the logs.

Proposal

Formatters could leverage #[SensitiveParameter] to automatically redact sensitive properties during normalization.

Based on https://github.com/symfony/symfony/pull/46183, this behaviour may not always be desired, so it could be implemented behind a configuration flag. That said, I would argue that redacting by default is the safer choice—frameworks like Symfony could then disable it in dev/debug mode if needed.

Additionally, since users often implement custom formatters, it would be helpful to expose this functionality in a reusable way.

Originally created by @theofidry on GitHub (Jan 20, 2026). Original GitHub issue: https://github.com/Seldaek/monolog/issues/2018 ## Context When logging, values passed as part of the record context may contain PHP objects that are normalized by a `Monolog\Formatter\FormatterInterface`: ```php $logger->log( 'My message', context: ['message' => $message, ...$additionalContext], ); ``` ## Problem Consider an object like this: ```php final readonly class UpdateUser { function __construct( public string $id,`` #[SensitiveParameter] public string $mySecretUrl, ) {} } ``` Since PHP 8.2, `#[SensitiveParameter]` prevents `UpdateUser::$mySecretUrl` from appearing in stack traces. However, when such an object is passed as part of a log record context, this attribute is not respected and the sensitive value is still written to the logs. ## Proposal Formatters could leverage `#[SensitiveParameter]` to automatically redact sensitive properties during normalization. Based on https://github.com/symfony/symfony/pull/46183, this behaviour may not always be desired, so it could be implemented behind a configuration flag. That said, I would argue that redacting by default is the safer choice—frameworks like Symfony could then disable it in dev/debug mode if needed. Additionally, since users often implement custom formatters, it would be helpful to expose this functionality in a reusable way.