Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New createCurlCmd feature leaks secrets in log when tracing is enabled #828

Closed
nagius opened this issue Aug 27, 2024 · 2 comments · Fixed by #842
Closed

New createCurlCmd feature leaks secrets in log when tracing is enabled #828

nagius opened this issue Aug 27, 2024 · 2 comments · Fixed by #842
Assignees
@jeevatkm
Labels
bug enhancement
Milestone
v2.15.0

Comments

@nagius
Copy link

nagius commented Aug 27, 2024

The new curl log output introduced by #794 will leak secrets when tracing is enabled. See output example:

==============================================================================
~~~ REQUEST(curl) ~~~
CURL:
    curl -X PUT -H 'Accept: application/json' -H 'Authorization: Basic ZGVtbzpwQDU1dzByZA==' -H 'Content-Type: application/json' https://myserver.com/api/endpoint
~~~ REQUEST ~~~
PUT  /api/endpoint  HTTP/1.1
HOST   : myserver.com
HEADERS:
    Accept: application/json
    Authorization: [REDACTED]
    Content-Type: application/json
    User-Agent: go-resty/2.14.0 (https://github.com/go-resty/resty) 
BODY   :
------------------------------------------------------------------------------

For the remaining of the tracing output, it's possible to set a callback with OnRequestLog() than will filter out sensitive data like password or tokens from the log output. (See REDACTED output in the above example). This do not affect the generated curl output.

This generated Curl output is interesting but only in some usecases. Can we add a flag to disable that feature in the trace output ?
Or better, a flag to explicitly enable it (like EnableTraceWithCurl(), with a warning in the docs as this can leak secrets.
@jeevatkm
Copy link
Member

@nagius Thanks for reporting it.

I agree that adding the method EnableTraceWithCurl() would help. Plus, adding details about leak secrets in the godoc.

@jeevatkm jeevatkm self-assigned this Aug 27, 2024
@jeevatkm jeevatkm added this to the v2.15.0 milestone Aug 27, 2024
@jeevatkm jeevatkm mentioned this issue Aug 29, 2024
Closed
@jeevatkm
Copy link
Member

jeevatkm commented Sep 2, 2024
edited
Loading

While implementing, I decided to change the method name as follows on the Client and Request instances -

  • EnableGenerateCurlOnDebug()
  • DisableGenerateCurlOnDebug()

jeevatkm added a commit that referenced this issue Sep 3, 2024
@jeevatkm
fix(enhancement): add explicit option to enable generate curl command…
6cdb251 
… in conjunction with debug mode and few clean ups #828
@jeevatkm jeevatkm mentioned this issue Sep 3, 2024
Merged
jeevatkm added a commit that referenced this issue Sep 3, 2024
@jeevatkm
fix(enhancement): add explicit option to enable generate curl command…
370d744 
… in conjunction with debug mode and few clean ups #828 (#842)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jeevatkm jeevatkm

Labels
bug enhancement
Milestone
v2.15.0
2 participants
@nagius @jeevatkm