Request Body Logged in Plaintext for Slow Requests
Slow-request log lines included the full request body, leaking leverage, notional size, market ticker, and slippage tolerance for offers exceeding the 5s threshold. Fixed by stripping body and query from the slow-request log.
Description
The LoggingInterceptor logs the full request body as a serialized JSON string for any request that exceeds its duration threshold:
this.logger.warn(`Long running request of ${requestDuration}ms on ${handlerName}. ` +`Method: ${request.method} URL: ${request.url} Body: ${JSON.stringify(request.body)} ` +`Query: ${JSON.stringify(request.query)}`,);
For the offer creation endpoint (createOffer/createQuote), the threshold is 5 seconds. A slow offer request would log the entire request body including leverageBps, marketTicker, notionalAmountUsdPips, slippageBps, and effectiveSide, a complete description of the user's trading intent. This data is written to Google Cloud Logging, Sentry, and potentially third-party log aggregation services, where it persists and may be accessible to a broader set of personnel or systems than the financial trading data itself warrants.
Vulnerable scenario:
- An authenticated user submits a large leveraged offer that takes more than 5 seconds to process.
- The logging interceptor fires and writes the complete body, leverage, market ticker, position size, slippage tolerance to the server log.
- A GCP Logging access credential is compromised.
- The attacker now knows the exact trading parameters for high-value positions, targeted liquidation attacks, or leakage of proprietary trading strategy.
Impact
Sensitive trading strategy parameters (leverage, notional size, target market, slippage tolerance) are written to server logs whenever requests are slow, creating a data retention risk and potential information disclosure to anyone with log access.
Recommendation
Remove or redact the Body: ${JSON.stringify(request.body)} component from the slow-request log message entirely. If body logging is required for debugging, apply an explicit allowlist of non-sensitive fields (e.g., only pmProvider) or hash/mask financial values. Ensure log access is governed by the same access controls as trading data.
Resolution
Fixed by code change, the Body: and Query: segments were removed from the slow-request log line; method, URL, handler, and duration are retained for triage.
