From d8032f47ca1c184372a6f7368ab4187e4ebff939 Mon Sep 17 00:00:00 2001
From: Thales Macedo Garitezi <thalesmg@gmail.com>
Date: Mon, 26 Feb 2024 17:21:03 -0300
Subject: [PATCH] fix: redact all headers from logs

Fixes https://emqx.atlassian.net/browse/EMQX-11904

Since headers are usually used for authentication and the headers used for that are very
flexible, we redact all headers from logs to avoid leaking anything.
---
 apps/emqx_audit/test/emqx_audit_api_SUITE.erl | 2 +-
 apps/emqx_utils/src/emqx_utils.app.src        | 2 +-
 apps/emqx_utils/src/emqx_utils.erl            | 4 ++++
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/apps/emqx_audit/test/emqx_audit_api_SUITE.erl b/apps/emqx_audit/test/emqx_audit_api_SUITE.erl
index 2f401e7a8..f1f4f2628 100644
--- a/apps/emqx_audit/test/emqx_audit_api_SUITE.erl
+++ b/apps/emqx_audit/test/emqx_audit_api_SUITE.erl
@@ -88,7 +88,7 @@ t_http_api(_) ->
                         <<"method">> := <<"put">>,
                         <<"body">> := #{<<"mqtt">> := #{<<"max_qos_allowed">> := 1}},
                         <<"bindings">> := _,
-                        <<"headers">> := #{<<"authorization">> := <<"******">>}
+                        <<"headers">> := "******"
                     },
                     <<"http_status_code">> := 200,
                     <<"operation_result">> := <<"success">>,
diff --git a/apps/emqx_utils/src/emqx_utils.app.src b/apps/emqx_utils/src/emqx_utils.app.src
index 766b25da6..8fdade473 100644
--- a/apps/emqx_utils/src/emqx_utils.app.src
+++ b/apps/emqx_utils/src/emqx_utils.app.src
@@ -2,7 +2,7 @@
 {application, emqx_utils, [
     {description, "Miscellaneous utilities for EMQX apps"},
     % strict semver, bump manually!
-    {vsn, "5.0.15"},
+    {vsn, "5.0.16"},
     {modules, [
         emqx_utils,
         emqx_utils_api,
diff --git a/apps/emqx_utils/src/emqx_utils.erl b/apps/emqx_utils/src/emqx_utils.erl
index 0eeef2e5e..be9f99923 100644
--- a/apps/emqx_utils/src/emqx_utils.erl
+++ b/apps/emqx_utils/src/emqx_utils.erl
@@ -717,6 +717,9 @@ is_sensitive_key(<<"jwt">>) -> true;
 is_sensitive_key(authorization) -> true;
 is_sensitive_key("authorization") -> true;
 is_sensitive_key(<<"authorization">>) -> true;
+is_sensitive_key(headers) -> true;
+is_sensitive_key("headers") -> true;
+is_sensitive_key(<<"headers">>) -> true;
 is_sensitive_key(bind_password) -> true;
 is_sensitive_key("bind_password") -> true;
 is_sensitive_key(<<"bind_password">>) -> true;
@@ -879,6 +882,7 @@ redact_test_() ->
         secret_key,
         secret_access_key,
         security_token,
+        headers,
         token,
         bind_password
     ],