From 31e914f6a29489387a380ca2777a8e6c92aaedb5 Mon Sep 17 00:00:00 2001 From: firest Date: Thu, 29 Jun 2023 15:57:48 +0800 Subject: [PATCH] fix(emqx_utils): improve the checking for the `authorization` key --- apps/emqx_utils/src/emqx_utils.erl | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/apps/emqx_utils/src/emqx_utils.erl b/apps/emqx_utils/src/emqx_utils.erl index b57b13e7d..86667063c 100644 --- a/apps/emqx_utils/src/emqx_utils.erl +++ b/apps/emqx_utils/src/emqx_utils.erl @@ -643,10 +643,7 @@ is_sensitive_key(<<"jwt">>) -> true; is_sensitive_key(authorization) -> true; is_sensitive_key("authorization") -> true; is_sensitive_key(<<"authorization">>) -> true; -%% the authorization header is not case-sensitive -is_sensitive_key("a" ++ _ = Key) -> is_authorization(Key); -is_sensitive_key(<<"a", _/binary>> = Key) -> is_authorization(erlang:binary_to_list(Key)); -is_sensitive_key(_) -> false. +is_sensitive_key(Key) -> is_authorization(Key). redact(Term) -> do_redact(Term, fun is_sensitive_key/1). @@ -710,7 +707,17 @@ do_is_redacted(K, <>, Fun) -> do_is_redacted(_K, _V, _Fun) -> false. -is_authorization(Str) -> +%% This is ugly, however, the authorization is case-insensitive, +%% the best way is to check chars one by one and quickly exit when any position is not equal, +%% but in Erlang, this may not perform well, so here only check the first one +is_authorization([Cap | _] = Key) when Cap == $a; Cap == $A -> + is_authorization2(Key); +is_authorization(<> = Key) when Cap == $a; Cap == $A -> + is_authorization2(erlang:binary_to_list(Key)); +is_authorization(_Any) -> + false. + +is_authorization2(Str) -> "authorization" == string:to_lower(Str). -ifdef(TEST). @@ -783,7 +790,7 @@ redact2_test_() -> Keys = [secret, passcode], [{case_name(atom, Key), fun() -> Case(Key, Checker) end} || Key <- Keys]. -redact_is_authorization() -> +redact_is_authorization_test_() -> Types = [string, binary], Keys = ["auThorization", "Authorization", "authorizaTion"],