Merge pull request #10994 from sstrigler/EMQX-10003-e-5-0-4-auth-head…

…er-value-of-webhook-data-bridge-can-be-found-in-emqx-log fix(emqx_utils): redact proxy-authorization headers
emqx · Jun 10, 2023 · f98cdd4 · f98cdd4
2 parents 22df275 + 57d72ed
commit f98cdd4
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 8 deletions.
diff --git a/apps/emqx_utils/src/emqx_utils.erl b/apps/emqx_utils/src/emqx_utils.erl
@@ -600,15 +600,18 @@ try_to_existing_atom(Convert, Data, Encoding) ->
         _:Reason -> {error, Reason}
     end.
 
-is_sensitive_key(token) -> true;
-is_sensitive_key("token") -> true;
-is_sensitive_key(<<"token">>) -> true;
 is_sensitive_key(authorization) -> true;
 is_sensitive_key("authorization") -> true;
 is_sensitive_key(<<"authorization">>) -> true;
+is_sensitive_key(aws_secret_access_key) -> true;
+is_sensitive_key("aws_secret_access_key") -> true;
+is_sensitive_key(<<"aws_secret_access_key">>) -> true;
 is_sensitive_key(password) -> true;
 is_sensitive_key("password") -> true;
 is_sensitive_key(<<"password">>) -> true;
+is_sensitive_key('proxy-authorization') -> true;
+is_sensitive_key("proxy-authorization") -> true;
+is_sensitive_key(<<"proxy-authorization">>) -> true;
 is_sensitive_key(secret) -> true;
 is_sensitive_key("secret") -> true;
 is_sensitive_key(<<"secret">>) -> true;
@@ -618,9 +621,9 @@ is_sensitive_key(<<"secret_key">>) -> true;
 is_sensitive_key(security_token) -> true;
 is_sensitive_key("security_token") -> true;
 is_sensitive_key(<<"security_token">>) -> true;
-is_sensitive_key(aws_secret_access_key) -> true;
-is_sensitive_key("aws_secret_access_key") -> true;
-is_sensitive_key(<<"aws_secret_access_key">>) -> true;
+is_sensitive_key(token) -> true;
+is_sensitive_key("token") -> true;
+is_sensitive_key(<<"token">>) -> true;
 is_sensitive_key(_) -> false.
 
 redact(Term) ->
@@ -731,9 +734,14 @@ redact_test_() ->
 
     Types = [atom, string, binary],
     Keys = [
-        token,
+        authorization,
+        aws_secret_access_key,
         password,
-        secret
+        'proxy-authorization',
+        secret,
+        secret_key,
+        security_token,
+        token
     ],
     [{case_name(Type, Key), fun() -> Case(Type, Key) end} || Key <- Keys, Type <- Types].
 

diff --git a/changes/ce/fix-10994.en.md b/changes/ce/fix-10994.en.md
@@ -0,0 +1 @@
+Redact `proxy-authorization` headers as used by HTTP connector to not leak secrets into log-files.