There are two eprintln! debug calls in production library code (not gated behind #[cfg(test)]) that print message length metadata to stderr on every encrypt/decrypt operation.
Evidence
src/lib.rs line 222 (inside block_encrypt):
eprintln!("encrypting message {} with padding {}", msg_len, pad_len);src/lib.rs line 510 (inside block_decrypt_in_place):
eprintln!("decrypting length {}", m.len());Impact
- Pollutes stderr in any application using this library
- Leaks message length metadata on every encrypt/decrypt call — a potential information side-channel in constrained deployments
- Violates the Rust API guideline that library crates must not print to stdout/stderr
Suggested fix
Remove both eprintln! calls (2 line deletion), or replace with log::trace! / tracing::trace! behind an opt-in feature flag.
Happy to submit a PR with this fix.
There are two
eprintln!debug calls in production library code (not gated behind#[cfg(test)]) that print message length metadata to stderr on every encrypt/decrypt operation.Evidence
src/lib.rsline 222 (insideblock_encrypt):src/lib.rsline 510 (insideblock_decrypt_in_place):Impact
Suggested fix
Remove both
eprintln!calls (2 line deletion), or replace withlog::trace!/tracing::trace!behind an opt-in feature flag.Happy to submit a PR with this fix.