Improve query parameter obfuscation

[nhmarujo]

I think it would be handy to make the obfuscation of query parameters a bit smarter, by not obfuscating the value if effectively it is "empty"

Detailed Description

Only obfuscate the query parameter if not null and the trim of the value is not empty.

Context

This can be handy on reasoning if a query parameter is actually being sent and avoid being mislead into thinking that seeing the XXX in there means that something was actually sent.

Possible Implementation

In here change the condition to if (paramValue == null || paramValue.trim().isEmpty())

[whiskeysierra]

When it comes to obfuscation you are moving in a grey zone - there is no clear right or wrong.
Logbook takes a security stance and don't give any information about obfuscated values.
I'd say having special handling for certain allowed values to bypass obfuscation doesn't feel right.

[nhmarujo]

Hi @whiskeysierra . Thank you so much for your input 🙂 The reasoning here is that revealing that something is either null or entirely composed of whitespace characters is not revealing sensitive information, while it had the upside of avoiding to mislead people analysing the access logs.
I have to say I don't see what the security threat would be in this case, but maybe I'm just not picturing some examples on which that would be a bad practice 🙂