fix panicing sanitizer as described in #3

go-pkgz · Feb 6, 2019 · 47eaa0b · 47eaa0b
1 parent d804141
commit 47eaa0b
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 19 deletions.
diff --git a/logger/logger.go b/logger/logger.go
@@ -10,6 +10,7 @@ import (
 	"net/http"
 	"net/url"
 	"regexp"
+	"sort"
 	"strings"
 	"time"
 )
@@ -179,25 +180,40 @@ func (l *Middleware) inLogFlags(f Flag) bool {
 	return false
 }
 
-var hideWords = []string{"password", "passwd", "secret", "credentials"}
+var hideWords = []string{"password", "passwd", "secret", "credentials", "token"}
 
+// hide query values for hideWords. May change order of query params
 func (l *Middleware) sanitizeQuery(inp string) string {
-	out := []rune(inp)
-	for _, h := range hideWords {
-		if strings.Contains(strings.ToLower(inp), h+"=") {
-			stPos := strings.Index(strings.ToLower(inp), h+"=") + len(h) + 1
-			fnPos := strings.Index(inp[stPos:], "&")
-			if fnPos == -1 {
-				fnPos = len(inp)
-			} else {
-				fnPos = stPos + fnPos
-			}
-			for i := stPos; i < fnPos; i++ {
-				out[i] = rune('*')
+
+	inHiddenWords := func(str string) bool {
+		for _, w := range hideWords {
+			if strings.EqualFold(w, str) {
+				return true
 			}
 		}
+		return false
+	}
+
+	parts := strings.SplitN(inp, "?", 2)
+	if len(parts) < 2 {
+		return inp
+	}
+
+	q, e := url.ParseQuery(parts[1])
+	if e != nil || len(q) == 0 {
+		return inp
+	}
+
+	res := []string{}
+	for k, v := range q {
+		if inHiddenWords(k) {
+			res = append(res, fmt.Sprintf("%s=********", k))
+		} else {
+			res = append(res, fmt.Sprintf("%s=%v", k, v[0]))
+		}
 	}
-	return string(out)
+	sort.Strings(res) // to make testing persistent
+	return parts[0] + "?" + strings.Join(res, "&")
 }
 
 // customResponseWriter implements ResponseWriter and keeping status and size

diff --git a/logger/logger_test.go b/logger/logger_test.go
@@ -207,13 +207,20 @@ func TestSanitizeReqURL(t *testing.T) {
 		out string
 	}{
 		{"", ""},
-		{"/aa/bb?xyz=123", "/aa/bb?xyz=123"},
-		{"/aa/bb?xyz=123&secret=asdfghjk", "/aa/bb?xyz=123&secret=********"},
-		{"/aa/bb?xyz=123&secret=asdfghjk&key=val", "/aa/bb?xyz=123&secret=********&key=val"},
-		{"/aa/bb?xyz=123&secret=asdfghjk&key=val&password=1234", "/aa/bb?xyz=123&secret=********&key=val&password=****"},
+		{"https://aaa.example.com:9090/aa/bb", "https://aaa.example.com:9090/aa/bb"},
+		{"https://aaa.example.com:9090/aa/bb?xyz=123", "https://aaa.example.com:9090/aa/bb?xyz=123"},
+		{"/aa/bb?xyz=123&seCret=asdfghjk", "/aa/bb?seCret=********&xyz=123"},
+		{"/aa/bb?xyz=123&secret=asdfghjk&key=val", "/aa/bb?key=val&secret=********&xyz=123"},
+		{"/aa/bb?xyz=123&secret=asdfghjk&key=val&password=1234", "/aa/bb?key=val&password=********&secret=********&xyz=123"},
+		{"/aa/bb?xyz=тест&passwoRD=1234", "/aa/bb?passwoRD=********&xyz=тест"},
+		{"/aa/bb?xyz=тест&password=1234&bar=buzz", "/aa/bb?bar=buzz&password=********&xyz=тест"},
+		{"/aa/bb?xyz=тест&password=пароль&bar=buzz", "/aa/bb?bar=buzz&password=********&xyz=тест"},
+		{"http://xyz.example.com/aa/bb?xyz=тест&password=пароль&bar=buzz&q=?sss?ccc", "http://xyz.example.com/aa/bb?bar=buzz&password=********&q=?sss?ccc&xyz=тест"},
 	}
 	l := New()
 	for i, tt := range tbl {
-		assert.Equal(t, tt.out, l.sanitizeQuery(tt.in), "check #%d, %s", i, tt.in)
+		t.Run(tt.in, func(t *testing.T) {
+			assert.Equal(t, tt.out, l.sanitizeQuery(tt.in), "check #%d, %s", i, tt.in)
+		})
 	}
 }