fix(logging): avoid logging sensitive param values (#31522)

Wes Johnson · facebook-github-bot · commit e612d3a116f3 · 2021-10-07T12:06:43.000-07:00
Summary: We noticed that by default when the RootView / ReactView calls runApplication, we're logging at an info level any props ("params") passed to that component. In our case, one of these props was sensitive in nature, causing the value to leak out in logs for our release builds. This is especially problematic on Android where device logs can be accessed by any app which requests that permission. This is probably more of a concern for brownfield react-native apps, but it seems worthwhile locking this down in non-dev builds. ## Changelog  [General] [Security] - Avoiding logging root view params outside of dev / debug mode builds Pull Request resolved: #31522 Test Plan: * build app in release mode on Android and verified I could not see: `Running "my app" with { sensitive: 'thing' }` in logcat in Android Studio with a tethered device Reviewed By: yungsters Differential Revision: D31064902 Pulled By: charlesbdudley fbshipit-source-id: 8b10a46d92a9ec44243dd74384299087260c7d83
diff --git a/Libraries/ReactNative/AppRegistry.js b/Libraries/ReactNative/AppRegistry.js
@@ -189,8 +189,10 @@ const AppRegistry = {
     displayMode?: number,
   ): void {
     if (appKey !== 'LogBox') {
-      const msg =
-        'Running "' + appKey + '" with ' + JSON.stringify(appParameters);
+      const logParams = __DEV__
+        ? '" with ' + JSON.stringify(appParameters)
+        : '';
+      const msg = 'Running "' + appKey + logParams;
       infoLog(msg);
       BugReporting.addSource(
         'AppRegistry.runApplication' + runCount++,
