Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Commit

Permalink
Merge pull request #3327 from t3chguy/redact_as_request_token
Browse files Browse the repository at this point in the history 
Strip `access_token` from outgoing requests
  • Loading branch information
@richvdh
richvdh authored Jun 5, 2018
2 parents 617afee + e6cbf47 commit e316407
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 9 deletions.
13 changes: 13 additions & 0 deletions synapse/http/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import re

from twisted.internet.defer import CancelledError
from twisted.python import failure

Expand All @@ -34,3 +36,14 @@ def cancelled_to_request_timed_out_error(value, timeout):
value.trap(CancelledError)
raise RequestTimedOutError()
return value


ACCESS_TOKEN_RE = re.compile(br'(\?.*access(_|%5[Ff])token=)[^&]*(.*)$')


def redact_uri(uri):
"""Strips access tokens from the uri replaces with <redacted>"""
return ACCESS_TOKEN_RE.sub(
br'\1<redacted>\3',
uri
)
5 changes: 3 additions & 2 deletions synapse/http/client.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
from synapse.api.errors import (
CodeMessageException, MatrixCodeMessageException, SynapseError, Codes,
)
from synapse.http import cancelled_to_request_timed_out_error
from synapse.http import cancelled_to_request_timed_out_error, redact_uri
from synapse.util.async import add_timeout_to_deferred
from synapse.util.caches import CACHE_SIZE_FACTOR
from synapse.util.logcontext import make_deferred_yieldable
Expand Down Expand Up @@ -90,7 +90,8 @@ def request(self, method, uri, *args, **kwargs):
# counters to it
outgoing_requests_counter.labels(method).inc()

logger.info("Sending request %s %s", method, uri)
# log request but strip `access_token` (AS requests for example include this)
logger.info("Sending request %s %s", method, redact_uri(uri))

try:
request_deferred = self.agent.request(
Expand Down
9 changes: 2 additions & 7 deletions synapse/http/site.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,18 +14,16 @@

import contextlib
import logging
import re
import time

from twisted.web.server import Site, Request

from synapse.http import redact_uri
from synapse.http.request_metrics import RequestMetrics
from synapse.util.logcontext import LoggingContext

logger = logging.getLogger(__name__)

ACCESS_TOKEN_RE = re.compile(br'(\?.*access(_|%5[Ff])token=)[^&]*(.*)$')

_next_request_seq = 0


Expand Down Expand Up @@ -69,10 +67,7 @@ def get_request_id(self):
return "%s-%i" % (self.method, self.request_seq)

def get_redacted_uri(self):
return ACCESS_TOKEN_RE.sub(
br'\1<redacted>\3',
self.uri
)
return redact_uri(self.uri)

def get_user_agent(self):
return self.requestHeaders.getRawHeaders(b"User-Agent", [None])[-1]
Expand Down

0 comments on commit e316407

Please sign in to comment.