forked from mirror/gin
Remove contents of the Authorization header while dumping requests (#1836)
This PR replaces the contents of that header with a *. This prevents credential leak in logs.
This commit is contained in:
parent
ffcbe77b1e
commit
f9de6049cb
|
@ -53,11 +53,18 @@ func RecoveryWithWriter(out io.Writer) HandlerFunc {
|
||||||
if logger != nil {
|
if logger != nil {
|
||||||
stack := stack(3)
|
stack := stack(3)
|
||||||
httpRequest, _ := httputil.DumpRequest(c.Request, false)
|
httpRequest, _ := httputil.DumpRequest(c.Request, false)
|
||||||
|
headers := strings.Split(string(httpRequest), "\r\n")
|
||||||
|
for idx, header := range headers {
|
||||||
|
current := strings.Split(header, ":")
|
||||||
|
if current[0] == "Authorization" {
|
||||||
|
headers[idx] = current[0] + ": *"
|
||||||
|
}
|
||||||
|
}
|
||||||
if brokenPipe {
|
if brokenPipe {
|
||||||
logger.Printf("%s\n%s%s", err, string(httpRequest), reset)
|
logger.Printf("%s\n%s%s", err, string(httpRequest), reset)
|
||||||
} else if IsDebugging() {
|
} else if IsDebugging() {
|
||||||
logger.Printf("[Recovery] %s panic recovered:\n%s\n%s\n%s%s",
|
logger.Printf("[Recovery] %s panic recovered:\n%s\n%s\n%s%s",
|
||||||
timeFormat(time.Now()), string(httpRequest), err, stack, reset)
|
timeFormat(time.Now()), strings.Join(headers, "\r\n"), err, stack, reset)
|
||||||
} else {
|
} else {
|
||||||
logger.Printf("[Recovery] %s panic recovered:\n%s\n%s%s",
|
logger.Printf("[Recovery] %s panic recovered:\n%s\n%s%s",
|
||||||
timeFormat(time.Now()), err, stack, reset)
|
timeFormat(time.Now()), err, stack, reset)
|
||||||
|
|
|
@ -8,6 +8,7 @@ package gin
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
|
"fmt"
|
||||||
"net"
|
"net"
|
||||||
"net/http"
|
"net/http"
|
||||||
"os"
|
"os"
|
||||||
|
@ -18,6 +19,37 @@ import (
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
func TestPanicClean(t *testing.T) {
|
||||||
|
buffer := new(bytes.Buffer)
|
||||||
|
router := New()
|
||||||
|
password := "my-super-secret-password"
|
||||||
|
router.Use(RecoveryWithWriter(buffer))
|
||||||
|
router.GET("/recovery", func(c *Context) {
|
||||||
|
c.AbortWithStatus(http.StatusBadRequest)
|
||||||
|
panic("Oupps, Houston, we have a problem")
|
||||||
|
})
|
||||||
|
// RUN
|
||||||
|
w := performRequest(router, "GET", "/recovery",
|
||||||
|
header{
|
||||||
|
Key: "Host",
|
||||||
|
Value: "www.google.com",
|
||||||
|
},
|
||||||
|
header{
|
||||||
|
Key: "Authorization",
|
||||||
|
Value: fmt.Sprintf("Bearer %s", password),
|
||||||
|
},
|
||||||
|
header{
|
||||||
|
Key: "Content-Type",
|
||||||
|
Value: "application/json",
|
||||||
|
},
|
||||||
|
)
|
||||||
|
// TEST
|
||||||
|
assert.Equal(t, http.StatusBadRequest, w.Code)
|
||||||
|
|
||||||
|
// Check the buffer does not have the secret key
|
||||||
|
assert.NotContains(t, buffer.String(), password)
|
||||||
|
}
|
||||||
|
|
||||||
// TestPanicInHandler assert that panic has been recovered.
|
// TestPanicInHandler assert that panic has been recovered.
|
||||||
func TestPanicInHandler(t *testing.T) {
|
func TestPanicInHandler(t *testing.T) {
|
||||||
buffer := new(bytes.Buffer)
|
buffer := new(bytes.Buffer)
|
||||||
|
|
Loading…
Reference in New Issue