Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid logging v2 sigs on failure #1679

Merged
merged 1 commit into from
Mar 25, 2021
Merged

Avoid logging v2 sigs on failure #1679

merged 1 commit into from
Mar 25, 2021

Conversation

arielshaqed
Copy link
Contributor

Auth headers are inherently unsafe: if Eve can read (just) headers and can guess message
contents, then she can fix a broken message and replay it slightly later.

Easiest just to avoid logging bad headers. If there is a problem record the actual HTTP
requests and responses on the client and send them out of band.

@arielshaqed
Avoid logging v2 sigs on failure
4a76a30 
Auth headers are inherently unsafe: if Eve can read (just) headers and can guess message
contents, then she can fix a broken message and replay it slightly later.

Easiest just to avoid logging bad headers.  If there is a problem record the actual HTTP
requests and responses on the client and send them out of band.
@arielshaqed arielshaqed requested a review from ozkatz March 25, 2021 15:00
@arielshaqed arielshaqed added the pr/merge-if-approved Reviewer: please feel free to merge if no major comments label Mar 25, 2021
@arielshaqed
Copy link
Contributor Author

Found by LGTM.com.

@codecov-io
Copy link

Codecov Report

Merging #1679 (4a76a30) into master (2c07fcb) will not change coverage.
The diff coverage is 0.00%.

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #1679   +/-   ##
=======================================
  Coverage   39.44%   39.44%           
=======================================
  Files         167      167           
  Lines       13616    13616           
=======================================
  Hits         5371     5371           
  Misses       7483     7483           
  Partials      762      762
Impacted Files Coverage Δ
pkg/gateway/sig/v2.go 26.72% <0.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2c07fcb...4a76a30. Read the comment docs.

@ozkatz ozkatz merged commit ed58184 into master Mar 25, 2021
@ozkatz ozkatz deleted the bugfix/sensitive-logs branch March 25, 2021 15:25
@lgtm-com
Copy link

lgtm-com bot commented Mar 25, 2021

This pull request fixes 1 alert when merging 4a76a30 into 2c07fcb - view on LGTM.com

fixed alerts:

  • 1 for Clear-text logging of sensitive information

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ozkatz ozkatz ozkatz approved these changes

Assignees
No one assigned
Labels
pr/merge-if-approved Reviewer: please feel free to merge if no major comments
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@arielshaqed @codecov-io @ozkatz