Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

filter password query parameter in access log #919

Merged
merged 12 commits into from
Nov 6, 2021
Merged

filter password query parameter in access log #919

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
b517c3c
filter password query parameter in access log
dadepo Oct 1, 2021
a555e12
Merge branch 'master' into filter-password
dadepo Oct 1, 2021
00a10a8
compile the regex
dadepo Oct 2, 2021
d01372d
Added more test cases
dadepo Oct 6, 2021
7bfdd06
Merge branch 'master' into filter-password
dadepo Oct 19, 2021
a1380c9
should replace password no matter the occurance
dadepo Oct 19, 2021
f0aa485
should filter apikey no matter the occurance in the url string
dadepo Oct 19, 2021
f6ba0de
undo unintentional commits
dadepo Oct 19, 2021
c642ce7
Merge branch 'master' into filter-password
eshryane Oct 20, 2021
37d3eb2
Merge branch 'master' into filter-password
dadepo Oct 22, 2021
b5a65a0
Merge branch 'master' into filter-password
dadepo Nov 3, 2021
d0de0c8
Merge branch 'master' into filter-password
dadepo Nov 4, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions whois-api/src/main/java/net/ripe/db/whois/api/httpserver/FilteredSlf4jRequestLogWriter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
package net.ripe.db.whois.api.httpserver;

import org.eclipse.jetty.server.Slf4jRequestLogWriter;

import java.io.IOException;
import java.util.regex.Pattern;

public class FilteredSlf4jRequestLogWriter extends Slf4jRequestLogWriter {
private final String keyToFilter;
// Replace value passed to apikey with "FILTERED" but leave the last 3 characters if its API keys
private static final Pattern ApiKeyPattern = Pattern.compile("(?<=(?i)(apikey=))(.+?(?=\\S{3}[&|\\s]))");
private static final Pattern PasswordPattern = Pattern.compile("(?<=(?i)(password=))([^&]*)");

public FilteredSlf4jRequestLogWriter(String keyToFilter) {
this.keyToFilter = keyToFilter;
}

@Override
public void write(String requestEntry) throws IOException {
String filtered;

if (keyToFilter != null && keyToFilter.equalsIgnoreCase("apikey")) {
filtered = ApiKeyPattern.matcher(requestEntry).replaceAll("FILTERED");
} else {
filtered = PasswordPattern.matcher(requestEntry).replaceAll("FILTERED");
}

super.write(filtered);
}
}
2 changes: 1 addition & 1 deletion whois-api/src/main/java/net/ripe/db/whois/api/httpserver/JettyBootstrap.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,6 @@ public void stop(final boolean force) {

// Log requests to org.eclipse.jetty.server.RequestLog
private RequestLog createRequestLog() {
return new CustomRequestLog(new Slf4jRequestLogWriter(), EXTENDED_RIPE_LOG_FORMAT);
return new CustomRequestLog(new FilteredSlf4jRequestLogWriter("password"), EXTENDED_RIPE_LOG_FORMAT);
}
}
64 changes: 64 additions & 0 deletions whois-api/src/test/java/net/ripe/db/whois/api/log/JettyRequestLogTestIntegration.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
import java.io.IOException;
import java.nio.file.Files;

import static org.hamcrest.CoreMatchers.not;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.containsString;

Expand Down Expand Up @@ -92,6 +93,69 @@ public void log_request_x_forwarded_for() throws Exception {
}


@Test
public void password_filtered() throws Exception {
RestTest.target(getPort(), "whois/test/person/TP1-TEST?password=some-api_key-123")
eshryane marked this conversation as resolved.
Show resolved Hide resolved
.request()
.get(WhoisResources.class);


String actual = fileToString(getRequestLogFilename());
assertThat(actual, containsString("GET /whois/test/person/TP1-TEST?password=FILTERED"));
assertThat(actual, not(containsString("some-api_key-123")));
}

@Test
public void multiple_password_filtered() throws Exception {
RestTest.target(getPort(), "whois/test/person/TP1-TEST?password=pass1&password=pass2")
.request()
.get(WhoisResources.class);


String actual = fileToString(getRequestLogFilename());
assertThat(actual, containsString("GET /whois/test/person/TP1-TEST?password=FILTERED&password=FILTERED"));
assertThat(actual, not(containsString("pass1")));
assertThat(actual, not(containsString("pass2")));
}

@Test
public void multiple_query_password_filtered() throws Exception {
RestTest.target(getPort(), "whois/test/person/TP1-TEST?password=pass1&key=value")
.request()
.get(WhoisResources.class);


String actual = fileToString(getRequestLogFilename());
assertThat(actual, containsString("GET /whois/test/person/TP1-TEST?password=FILTERED&key=value"));
assertThat(actual, containsString("key=value"));
assertThat(actual, not(containsString("pass1")));
}

@Test
public void multiple_query_password_last_filtered() throws Exception {
RestTest.target(getPort(), "whois/test/person/TP1-TEST?key=value&password=pass1")
.request()
.get(WhoisResources.class);


String actual = fileToString(getRequestLogFilename());
assertThat(actual, containsString("GET /whois/test/person/TP1-TEST?key=value&password=FILTERED"));
assertThat(actual, containsString("key=value"));
assertThat(actual, not(containsString("pass1")));
}

@Test
public void password_filtered_case_insensitive() throws Exception {
RestTest.target(getPort(), "whois/test/person/TP1-TEST?PassWord=pass1")
.request()
.get(WhoisResources.class);


String actual = fileToString(getRequestLogFilename());
assertThat(actual.toLowerCase(), containsString("password=FILTERED".toLowerCase()));
assertThat(actual, not(containsString("pass1")));
}

// helper methods

private static void cleanupRequestLogDirectory() throws IOException {
Expand Down