Skip to content

Commit

Permalink
x-pack/filebeat/input/httpjson: redact authentication headers in logging
Browse files Browse the repository at this point in the history
This requires a small duplication of the mapstr.M API to workaround an
issue in that type that can result in corruption of data.
  • Loading branch information
efd6 committed Dec 5, 2024
1 parent 83251ea commit c43e324
Show file tree
Hide file tree
Showing 3 changed files with 57 additions and 1 deletion.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -188,6 +188,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
- Improve S3 object size metric calculation to support situations where Content-Length is not available. {pull}41755[41755]
- Fix handling of http_endpoint request exceeding memory limits. {issue}41764[41764] {pull}41765[41765]
- Rate limiting fixes in the Okta provider of the Entity Analytics input. {issue}40106[40106] {pull}41583[41583]
- Redact authentication headers in HTTPJSON debug logs. {pull}41920[41920]

*Heartbeat*

Expand Down
55 changes: 55 additions & 0 deletions x-pack/filebeat/input/httpjson/input.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ import (
"net/url"
"os"
"path/filepath"
"sort"
"strings"
"time"

Expand All @@ -33,6 +34,7 @@ import (
"github.com/elastic/beats/v7/libbeat/version"
"github.com/elastic/beats/v7/x-pack/filebeat/input/internal/httplog"
"github.com/elastic/beats/v7/x-pack/filebeat/input/internal/httpmon"
"github.com/elastic/beats/v7/x-pack/filebeat/input/internal/private"
"github.com/elastic/elastic-agent-libs/logp"
"github.com/elastic/elastic-agent-libs/mapstr"
"github.com/elastic/elastic-agent-libs/monitoring"
Expand Down Expand Up @@ -91,6 +93,59 @@ func Plugin(log *logp.Logger, store inputcursor.StateStore) v2.Plugin {
}
}

type redact struct {
value mapstrM
fields []string
}

func (r redact) MarshalLogObject(enc zapcore.ObjectEncoder) error {
v, err := private.Redact(r.value, "", r.fields)
if err != nil {
return fmt.Errorf("could not redact value: %v", err)
}
return v.MarshalLogObject(enc)
}

// mapstrM is a non-mutating version of mapstr.M.
type mapstrM mapstr.M

// MarshalLogObject implements the zapcore.ObjectMarshaler interface and allows
// for more efficient marshaling of mapstrM in structured logging.
func (m mapstrM) MarshalLogObject(enc zapcore.ObjectEncoder) error {
if len(m) == 0 {
return nil
}

keys := make([]string, 0, len(m))
for k := range m {

Check failure on line 120 in x-pack/filebeat/input/httpjson/input.go

View workflow job for this annotation

GitHub Actions / lint (darwin)

cannot range over m (variable of type mapstrM) (typecheck)
keys = append(keys, k)
}
sort.Strings(keys)
for _, k := range keys {
v := m[k]

Check failure on line 125 in x-pack/filebeat/input/httpjson/input.go

View workflow job for this annotation

GitHub Actions / lint (darwin)

invalid operation: cannot index m (variable of type mapstrM) (typecheck)
if inner, ok := tryToMapStr(v); ok {
err := enc.AddObject(k, inner)
if err != nil {
return fmt.Errorf("failed to add object: %w", err)
}
continue
}
zap.Any(k, v).AddTo(enc)
}
return nil
}

func tryToMapStr(v interface{}) (mapstrM, bool) {
switch m := v.(type) {
case mapstrM:
return m, true
case map[string]interface{}:
return mapstrM(m), true

Check failure on line 143 in x-pack/filebeat/input/httpjson/input.go

View workflow job for this annotation

GitHub Actions / lint (darwin)

cannot convert m (variable of type map[string]interface{}) to type mapstrM (typecheck)
default:
return nil, false

Check failure on line 145 in x-pack/filebeat/input/httpjson/input.go

View workflow job for this annotation

GitHub Actions / lint (darwin)

cannot use nil as mapstrM value in return statement (typecheck)
}
}

func test(url *url.URL) error {
port := func() string {
if url.Port() != "" {
Expand Down
2 changes: 1 addition & 1 deletion x-pack/filebeat/input/httpjson/request.go
Original file line number Diff line number Diff line change
Expand Up @@ -465,7 +465,7 @@ func (rf *requestFactory) newRequest(ctx *transformContext) (transformable, erro
}
}

rf.log.Debugf("new request: %#v", req)
rf.log.Debugw("new request", "req", redact{value: mapstrM(req), fields: []string{"header.Authorization"}})

return req, nil
}
Expand Down

0 comments on commit c43e324

Please sign in to comment.