Add new prefixes to the "sensitiveBackendPrefixes" list (#19287)

gravitational · Dec 14, 2022 · 248198f · 248198f
1 parent 557d68d
commit 248198f
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 2 deletions.
diff --git a/lib/backend/report.go b/lib/backend/report.go
@@ -408,8 +408,10 @@ func buildKeyLabel(key string, sensitivePrefixes []string) string {
 // sensitive values.
 var sensitiveBackendPrefixes = []string{
 	"tokens",
-	"resetpasswordtokens",
-	"adduseru2fchallenges",
+	"usertoken",
+	// Global passwordless challenges, keyed by challenge, as per
+	// https://github.com/gravitational/teleport/blob/01775b73f138ff124ff0351209d629bb01836869/lib/services/local/users.go#L1510.
+	"sessionData",
 	"access_requests",
 }
 

diff --git a/lib/backend/report_test.go b/lib/backend/report_test.go
@@ -84,3 +84,21 @@ func TestBuildKeyLabel(t *testing.T) {
 		require.Equal(t, tc.masked, buildKeyLabel(tc.input, sensitivePrefixes))
 	}
 }
+
+func TestBuildLabelKey_SensitiveBackendPrefixes(t *testing.T) {
+	testCases := []struct {
+		input  string
+		masked string
+	}{
+		{"/tokens/1234-5678", "/tokens/******678"},
+		{"/usertoken/1234-5678", "/usertoken/******678"},
+		{"/access_requests/1234-5678", "/access_requests/******678"},
+
+		{"/webauthn/sessionData/login/1234-5678", "/webauthn/sessionData"},
+		{"/webauthn/sessionData/1234-5678", "/webauthn/sessionData"},
+		{"/sessionData/1234-5678", "/sessionData/******678"},
+	}
+	for _, tc := range testCases {
+		require.Equal(t, tc.masked, buildKeyLabel(tc.input, sensitiveBackendPrefixes))
+	}
+}