Merge pull request #10994 from sstrigler/EMQX-10003-e-5-0-4-auth-header-value-of-webhook-data-bridge-can-be-found-in-emqx-log

fix(emqx_utils): redact proxy-authorization headers
2023-06-10 11:18:58 +02:00 · 2023-06-10 11:18:58 +02:00 · f98cdd4983
parent 22df275596 57d72ed23e
commit f98cdd4983
2 changed files with 17 additions and 8 deletions
--- a/apps/emqx_utils/src/emqx_utils.erl
+++ b/apps/emqx_utils/src/emqx_utils.erl
@ -600,15 +600,18 @@ try_to_existing_atom(Convert, Data, Encoding) ->
        _:Reason -> {error, Reason}
    end.

-is_sensitive_key(token) -> true;
-is_sensitive_key("token") -> true;
-is_sensitive_key(<<"token">>) -> true;
 is_sensitive_key(authorization) -> true;
 is_sensitive_key("authorization") -> true;
 is_sensitive_key(<<"authorization">>) -> true;
+is_sensitive_key(aws_secret_access_key) -> true;
+is_sensitive_key("aws_secret_access_key") -> true;
+is_sensitive_key(<<"aws_secret_access_key">>) -> true;
 is_sensitive_key(password) -> true;
 is_sensitive_key("password") -> true;
 is_sensitive_key(<<"password">>) -> true;
+is_sensitive_key('proxy-authorization') -> true;
+is_sensitive_key("proxy-authorization") -> true;
+is_sensitive_key(<<"proxy-authorization">>) -> true;
 is_sensitive_key(secret) -> true;
 is_sensitive_key("secret") -> true;
 is_sensitive_key(<<"secret">>) -> true;
@ -618,9 +621,9 @@ is_sensitive_key(<<"secret_key">>) -> true;
 is_sensitive_key(security_token) -> true;
 is_sensitive_key("security_token") -> true;
 is_sensitive_key(<<"security_token">>) -> true;
-is_sensitive_key(aws_secret_access_key) -> true;
-is_sensitive_key("aws_secret_access_key") -> true;
-is_sensitive_key(<<"aws_secret_access_key">>) -> true;
+is_sensitive_key(token) -> true;
+is_sensitive_key("token") -> true;
+is_sensitive_key(<<"token">>) -> true;
 is_sensitive_key(_) -> false.

 redact(Term) ->
@ -731,9 +734,14 @@ redact_test_() ->

    Types = [atom, string, binary],
    Keys = [
-        token,
+        authorization,
+        aws_secret_access_key,
        password,
-        secret
+        'proxy-authorization',
+        secret,
+        secret_key,
+        security_token,
+        token
    ],
    [{case_name(Type, Key), fun() -> Case(Type, Key) end} || Key <- Keys, Type <- Types].

--- a/changes/ce/fix-10994.en.md
+++ b/changes/ce/fix-10994.en.md
@ -0,0 +1 @@
+Redact `proxy-authorization` headers as used by HTTP connector to not leak secrets into log-files.
				`@ -0,0 +1 @@`
				Redact `proxy-authorization` headers as used by HTTP connector to not leak secrets into log-files.