nghttpx: Don't log authorization request header field value with -LINFO

2019-04-15 22:59:26 +09:00 · 2019-04-15 22:59:26 +09:00 · be96654d56
parent ce962c3fdf
commit be96654d56
4 changed files with 24 additions and 2 deletions
--- a/src/shrpx_http.cc
+++ b/src/shrpx_http.cc
@ -146,13 +146,22 @@ std::string colorizeHeaders(const char *hdrs) {
    nhdrs += TTY_HTTP_HD;
    nhdrs.append(p, np);
    nhdrs += TTY_RST;
+    auto redact = util::strieq_l("authorization", StringRef{p, np});
    p = np;
    np = strchr(p, '\n');
    if (!np) {
-      nhdrs.append(p);
+      if (redact) {
+        nhdrs.append(": <redacted>");
+      } else {
+        nhdrs.append(p);
+      }
      break;
    }
-    nhdrs.append(p, np + 1);
+    if (redact) {
+      nhdrs.append(": <redacted>\n");
+    } else {
+      nhdrs.append(p, np + 1);
+    }
    p = np + 1;
  }
  return nhdrs;
--- a/src/shrpx_http2_downstream_connection.cc
+++ b/src/shrpx_http2_downstream_connection.cc
@ -463,6 +463,11 @@ int Http2DownstreamConnection::push_request_headers() {
  if (LOG_ENABLED(INFO)) {
    std::stringstream ss;
    for (auto &nv : nva) {
+      if (util::streq_l("authorization", nv.name, nv.namelen)) {
+        ss << TTY_HTTP_HD << StringRef{nv.name, nv.namelen} << TTY_RST
+           << ": <redacted>\n";
+        continue;
+      }
      ss << TTY_HTTP_HD << StringRef{nv.name, nv.namelen} << TTY_RST << ": "
         << StringRef{nv.value, nv.valuelen} << "\n";
    }
--- a/src/shrpx_http2_upstream.cc
+++ b/src/shrpx_http2_upstream.cc
@ -321,6 +321,10 @@ int Http2Upstream::on_request_headers(Downstream *downstream,
  if (LOG_ENABLED(INFO)) {
    std::stringstream ss;
    for (auto &nv : nva) {
+      if (nv.name == "authorization") {
+        ss << TTY_HTTP_HD << nv.name << TTY_RST << ": <redacted>\n";
+        continue;
+      }
      ss << TTY_HTTP_HD << nv.name << TTY_RST << ": " << nv.value << "\n";
    }
    ULOG(INFO, this) << "HTTP request headers. stream_id="
--- a/src/shrpx_https_upstream.cc
+++ b/src/shrpx_https_upstream.cc
@ -318,6 +318,10 @@ int htp_hdrs_completecb(http_parser *htp) {
       << "HTTP/" << req.http_major << "." << req.http_minor << "\n";

    for (const auto &kv : req.fs.headers()) {
+      if (kv.name == "authorization") {
+        ss << TTY_HTTP_HD << kv.name << TTY_RST << ": <redacted>\n";
+        continue;
+      }
      ss << TTY_HTTP_HD << kv.name << TTY_RST << ": " << kv.value << "\n";
    }