Skip to content

Commit

Permalink
Use xxxxx rather than *** to mask sensitive data in URLs.
Browse files Browse the repository at this point in the history
  • Loading branch information
@mcdee
mcdee committed Jul 25, 2024
1 parent 73945ba commit eff49f7
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 8 deletions.
10 changes: 5 additions & 5 deletions http/http_internal_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,31 +50,31 @@ func TestParseAddress(t *testing.T) {
name: "Query",
input: "http://foo.com?a=1&b=2",
base: "http://foo.com?a=1&b=2",
address: "http://foo.com?a=***&b=***",
address: "http://foo.com?a=xxxxx&b=xxxxx",
},
{
name: "User",
input: "http://user@foo.com?a=1&b=2",
base: "http://user@foo.com?a=1&b=2",
address: "http://user@foo.com?a=***&b=***",
address: "http://user@foo.com?a=xxxxx&b=xxxxx",
},
{
name: "Pass",
input: "http://user:pass@foo.com?a=1&b=2",
base: "http://user:pass@foo.com?a=1&b=2",
address: "http://user:%2A%2A%2A@foo.com?a=***&b=***",
address: "http://user:xxxxx@foo.com?a=xxxxx&b=xxxxx",
},
{
name: "Path",
input: "http://user:pass@foo.com/path?a=1&b=2",
base: "http://user:pass@foo.com/path?a=1&b=2",
address: "http://user:%2A%2A%2A@foo.com/%2A%2A%2A?a=***&b=***",
address: "http://user:xxxxx@foo.com/xxxxx?a=xxxxx&b=xxxxx",
},
{
name: "PathTrailingSlash",
input: "http://user:pass@foo.com/path/?a=1&b=2",
base: "http://user:pass@foo.com/path?a=1&b=2",
address: "http://user:%2A%2A%2A@foo.com/%2A%2A%2A?a=***&b=***",
address: "http://user:xxxxx@foo.com/xxxxx?a=xxxxx&b=xxxxx",
},
{
name: "Invalid",
Expand Down
10 changes: 7 additions & 3 deletions http/service.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -402,17 +402,21 @@ func parseAddress(address string) (*url.URL, *url.URL, error) {
// Remove any trailing slash from the path.
base.Path = strings.TrimSuffix(base.Path, "/")

// Attempt to mask any sensitive information in the URL, for logging purposes.
baseAddress := *base
if _, pwExists := baseAddress.User.Password(); pwExists {
// Mask the password.
user := baseAddress.User.Username()
baseAddress.User = url.UserPassword(user, "***")
baseAddress.User = url.UserPassword(user, "xxxxx")
}
if baseAddress.Path != "" {
baseAddress.Path = "***"
// Mask the path.
baseAddress.Path = "xxxxx"
}
if baseAddress.RawQuery != "" {
// Mask all query values.
sensitiveRegex := regexp.MustCompile("=([^&]*)(&)?")
baseAddress.RawQuery = sensitiveRegex.ReplaceAllString(baseAddress.RawQuery, "=***$2")
baseAddress.RawQuery = sensitiveRegex.ReplaceAllString(baseAddress.RawQuery, "=xxxxx$2")
}

return base, &baseAddress, nil
Expand Down

0 comments on commit eff49f7

Please sign in to comment.