From 0471d51a315637df91d38f42afedd0e170cdefad Mon Sep 17 00:00:00 2001 From: Sheena Carswell Date: Mon, 15 Jul 2024 10:34:27 +0100 Subject: [PATCH] fix: redact password in logs if specified as part of URL (#413) **Requirements** - [x] I have added test coverage for new or changed functionality - [x] I have followed the repository's [pull request submission guidelines](../blob/master/CONTRIBUTING.md#submitting-pull-requests) - [x] I have validated my changes against all supported platform versions **Related issues** (Internal: see sc-249267) **Describe the solution you've provided** When the connection URL is specified with a username and password, this was logged in full, for example "Using proxy server at http://my-user-name:my-password@my-proxy-server". This fix redacts any password specified as part of the URL from the logs. --- internal/httpconfig/httpconfig.go | 2 +- internal/httpconfig/httpconfig_test.go | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/internal/httpconfig/httpconfig.go b/internal/httpconfig/httpconfig.go index af6cd2b9..e24ccbc4 100644 --- a/internal/httpconfig/httpconfig.go +++ b/internal/httpconfig/httpconfig.go @@ -44,7 +44,7 @@ func NewHTTPConfig(proxyConfig config.ProxyConfig, authKey credential.SDKCredent return ret, errProxyAuthWithoutProxyURL } if proxyConfig.URL.IsDefined() { - loggers.Infof("Using proxy server at %s", proxyConfig.URL) + loggers.Infof("Using proxy server at %s", proxyConfig.URL.Get().Redacted()) } caCertFiles := proxyConfig.CACertFiles.Values() diff --git a/internal/httpconfig/httpconfig_test.go b/internal/httpconfig/httpconfig_test.go index cf720768..f2c6619e 100644 --- a/internal/httpconfig/httpconfig_test.go +++ b/internal/httpconfig/httpconfig_test.go @@ -4,6 +4,7 @@ import ( "crypto/x509" "net/http" "net/http/httptest" + "net/url" "os" "testing" @@ -137,3 +138,22 @@ func TestNTLMProxyInvalidConfigs(t *testing.T) { } }) } + +func TestLogsRedactConnectionPassword(t *testing.T) { + // Username and password are specified separately in NTLM auth won't show in logs as they're not part of server name + url1, _ := configtypes.NewOptURLAbsoluteFromString("http://my-proxy") + proxyConfig1 := config.ProxyConfig{NTLMAuth: true, URL: url1, User: "my-user", Password: "my-pass"} + mockLog1 := ldlogtest.NewMockLog() + _, err := NewHTTPConfig(proxyConfig1, nil, "", mockLog1.Loggers) + assert.NoError(t, err) + mockLog1.AssertMessageMatch(t, true, ldlog.Info, "Using proxy server at http://my-proxy$") + + // When username and password are configured as part of server name, verify the password is redacted + url2, _ := url.Parse("http://my-user:my-password@my-proxy") + url2Absolute, _ := configtypes.NewOptURLAbsolute(url2) + proxyConfig2 := config.ProxyConfig{URL: url2Absolute} + mockLog2 := ldlogtest.NewMockLog() + _, err = NewHTTPConfig(proxyConfig2, nil, "", mockLog2.Loggers) + assert.NoError(t, err) + mockLog2.AssertMessageMatch(t, true, ldlog.Info, "Using proxy server at http://my-user:xxxxx@my-proxy$") +}