NotificationsYou must be signed in to change notification settings
Fork1k
Star11.1k

Commit268daf9

Callum Styan

committed

log non-sensitive query param fields in the httpmw logger

Signed-off-by: Callum Styan <callum@coder.com>

1 parent9b7d41d commit268daf9Copy full SHA for 268daf9

File tree

2 files changed

+108

-0

lines changed

coderd/httpmw/loggermw
- logger.go
- logger_internal_test.go

2 files changed

+108

-0

lines changed

`‎coderd/httpmw/loggermw/logger.go‎`

Lines changed: 40 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,8 @@ import (`
`4`	`4`	`"context"`
`5`	`5`	`"fmt"`
`6`	`6`	`"net/http"`
	`7`	`+"net/url"`
	`8`	`+"strings"`
`7`	`9`	`"sync"`
`8`	`10`	`"time"`
`9`	`11`
`@@ -15,6 +17,39 @@ import (`
`15`	`17`	`"github.com/coder/coder/v2/coderd/tracing"`
`16`	`18`	`)`
`17`	`19`
	`20`	`+varsensitivePatterns= []string{"code","token","key","secret","password","auth","credential","api_key"}`
	`21`	`+`
	`22`	`+funcsafeQueryParams(params url.Values) []slog.Field {`
	`23`	`+iflen(params)==0 {`
	`24`	`+returnnil`
	`25`	`+}`
	`26`	`+`
	`27`	`+fields:=make([]slog.Field,0,len(params))`
	`28`	`+forkey,values:=rangeparams {`
	`29`	`+sensitive:=false`
	`30`	`+`
	`31`	`+// Check if this parameter should be redacted`
	`32`	`+for_,pattern:=rangesensitivePatterns {`
	`33`	`+ifstrings.Contains(strings.ToLower(key),pattern) {`
	`34`	`+sensitive=true`
	`35`	`+}`
	`36`	`+}`
	`37`	`+if!sensitive {`
	`38`	`+// Prepend query parameters in the log line to ensure we don't have issues with collisions`
	`39`	`+// in case any other internal logging fields already log fields with similar names`
	`40`	`+fieldName:="query_"+key`
	`41`	`+`
	`42`	`+// Log the actual values for non-sensitive parameters`
	`43`	`+iflen(values)==1 {`
	`44`	`+fields=append(fields,slog.F(fieldName,values[0]))`
	`45`	`+continue`
	`46`	`+}`
	`47`	`+fields=append(fields,slog.F(fieldName,values))`
	`48`	`+}`
	`49`	`+}`
	`50`	`+returnfields`
	`51`	`+}`
	`52`	`+`
`18`	`53`	`funcLogger(log slog.Logger)func(next http.Handler) http.Handler {`
`19`	`54`	`returnfunc(next http.Handler) http.Handler {`
`20`	`55`	`returnhttp.HandlerFunc(func(rw http.ResponseWriter,r*http.Request) {`
`@@ -39,6 +74,11 @@ func Logger(log slog.Logger) func(next http.Handler) http.Handler {`
`39`	`74`	`slog.F("start",start),`
`40`	`75`	`)`
`41`	`76`
	`77`	`+// Add safe query parameters to the log`
	`78`	`+ifqueryFields:=safeQueryParams(r.URL.Query());len(queryFields)>0 {`
	`79`	`+httplog=httplog.With(queryFields...)`
	`80`	`+}`
	`81`	`+`
`42`	`82`	`logContext:=NewRequestLogger(httplog,r.Method,start)`
`43`	`83`
`44`	`84`	`ctx:=WithRequestLogger(r.Context(),logContext)`

`‎coderd/httpmw/loggermw/logger_internal_test.go‎`

Lines changed: 68 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,7 @@ import (`
`4`	`4`	`"context"`
`5`	`5`	`"net/http"`
`6`	`6`	`"net/http/httptest"`
	`7`	`+"net/url"`
`7`	`8`	`"slices"`
`8`	`9`	`"strings"`
`9`	`10`	`"sync"`
`@@ -292,6 +293,73 @@ func TestRequestLogger_RouteParamsLogging(t *testing.T) {`
`292`	`293`	`}`
`293`	`294`	`}`
`294`	`295`
	`296`	`+funcTestSafeQueryParams(t*testing.T) {`
	`297`	`+t.Parallel()`
	`298`	`+`
	`299`	`+tests:= []struct {`
	`300`	`+namestring`
	`301`	`+params url.Values`
	`302`	`+expectedmap[string]interface{}`
	`303`	`+}{`
	`304`	`+{`
	`305`	`+name:"safe parameters",`
	`306`	`+params: url.Values{`
	`307`	`+"page": []string{"1"},`
	`308`	`+"limit": []string{"10"},`
	`309`	`+"filter": []string{"active"},`
	`310`	`+"sort": []string{"name"},`
	`311`	`+},`
	`312`	`+expected:map[string]interface{}{`
	`313`	`+"query_page":"1",`
	`314`	`+"query_limit":"10",`
	`315`	`+"query_filter":"active",`
	`316`	`+"query_sort":"name",`
	`317`	`+},`
	`318`	`+},`
	`319`	`+{`
	`320`	`+name:"sensitive parameters",`
	`321`	`+params: url.Values{`
	`322`	`+"token": []string{"secret-token"},`
	`323`	`+"api_key": []string{"secret-key"},`
	`324`	`+"coder_signed_app_token": []string{"jwt-token"},`
	`325`	`+"coder_application_connect_api_key": []string{"encrypted-key"},`
	`326`	`+"client_secret": []string{"oauth-secret"},`
	`327`	`+"code": []string{"auth-code"},`
	`328`	`+},`
	`329`	`+expected:map[string]interface{}{},`
	`330`	`+},`
	`331`	`+{`
	`332`	`+name:"mixed parameters",`
	`333`	`+params: url.Values{`
	`334`	`+"page": []string{"1"},`
	`335`	`+"token": []string{"secret"},`
	`336`	`+"filter": []string{"active"},`
	`337`	`+},`
	`338`	`+expected:map[string]interface{}{`
	`339`	`+"query_page":"1",`
	`340`	`+"query_filter":"active",`
	`341`	`+},`
	`342`	`+},`
	`343`	`+}`
	`344`	`+`
	`345`	`+for_,tt:=rangetests {`
	`346`	`+tt:=tt`
	`347`	`+t.Run(tt.name,func(t*testing.T) {`
	`348`	`+t.Parallel()`
	`349`	`+`
	`350`	`+fields:=safeQueryParams(tt.params)`
	`351`	`+`
	`352`	`+// Convert fields to map for easier comparison`
	`353`	`+result:=make(map[string]interface{})`
	`354`	`+for_,field:=rangefields {`
	`355`	`+result[field.Name]=field.Value`
	`356`	`+}`
	`357`	`+`
	`358`	`+require.Equal(t,tt.expected,result)`
	`359`	`+})`
	`360`	`+}`
	`361`	`+}`
	`362`	`+`
`295`	`363`	`typefakeSinkstruct {`
`296`	`364`	`entries []slog.SinkEntry`
`297`	`365`	`newEntrieschan slog.SinkEntry`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit268daf9

File tree

2 files changed

2 files changed

`‎coderd/httpmw/loggermw/logger.go‎`

`‎coderd/httpmw/loggermw/logger_internal_test.go‎`

0 commit comments