Merge pull request #9998 from lafirest/fix/http-authn-pass-leak
fix(connector): redact the http body in error logs for security reasons
This commit is contained in:
commit
699afc8c61
|
@ -328,15 +328,17 @@ on_query(
|
||||||
{ok, StatusCode, Headers} ->
|
{ok, StatusCode, Headers} ->
|
||||||
?SLOG(error, #{
|
?SLOG(error, #{
|
||||||
msg => "http connector do request, received error response",
|
msg => "http connector do request, received error response",
|
||||||
request => redact(NRequest),
|
note => "the body will be redacted due to security reasons",
|
||||||
|
request => redact_request(NRequest),
|
||||||
connector => InstId,
|
connector => InstId,
|
||||||
status_code => StatusCode
|
status_code => StatusCode
|
||||||
}),
|
}),
|
||||||
{error, #{status_code => StatusCode, headers => Headers}};
|
{error, #{status_code => StatusCode, headers => Headers}};
|
||||||
{ok, StatusCode, Headers, Body} ->
|
{ok, StatusCode, Headers, Body} ->
|
||||||
?SLOG(error, #{
|
?SLOG(error, #{
|
||||||
msg => "http connector do request, received error response",
|
msg => "http connector do request, received error response.",
|
||||||
request => redact(NRequest),
|
note => "the body will be redacted due to security reasons",
|
||||||
|
request => redact_request(NRequest),
|
||||||
connector => InstId,
|
connector => InstId,
|
||||||
status_code => StatusCode
|
status_code => StatusCode
|
||||||
}),
|
}),
|
||||||
|
@ -601,6 +603,15 @@ is_sensitive_key(_) ->
|
||||||
redact(Data) ->
|
redact(Data) ->
|
||||||
emqx_misc:redact(Data, fun is_sensitive_key/1).
|
emqx_misc:redact(Data, fun is_sensitive_key/1).
|
||||||
|
|
||||||
|
%% because the body may contain some sensitive data
|
||||||
|
%% and at the same time the redact function will not scan the binary data
|
||||||
|
%% and we also can't know the body format and where the sensitive data will be
|
||||||
|
%% so the easy way to keep data security is redacted the whole body
|
||||||
|
redact_request({Path, Headers}) ->
|
||||||
|
{Path, redact(Headers)};
|
||||||
|
redact_request({Path, Headers, _Body}) ->
|
||||||
|
{Path, redact(Headers), <<"******">>}.
|
||||||
|
|
||||||
-ifdef(TEST).
|
-ifdef(TEST).
|
||||||
-include_lib("eunit/include/eunit.hrl").
|
-include_lib("eunit/include/eunit.hrl").
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
Redact the HTTP request body in the authentication error logs for security reasons.
|
|
@ -0,0 +1 @@
|
||||||
|
出于安全原因,在身份验证错误日志中模糊 HTTP 请求正文。
|
Loading…
Reference in New Issue