Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: request returns non-idiomatic error messages that may leak sensitive info #47442

Open
lpar opened this issue Jul 28, 2021 · 2 comments
Open

Comments

@lpar
Copy link

@lpar lpar commented Jul 28, 2021

What version of Go are you using (go version)?

$ go version
go version go1.16.6 linux/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GOARCH="amd64"
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOVERSION="go1.16.6"

What did you do?

Got a context deadline timeout from an HTTP PATCH request.

What did you expect to see?

An idiomatic error return.

What did you see instead?

Error processing request: Patch "http://www.example.com/sensitiveurl": context deadline exceeded

i.e. returned error has "patch" capitalized.

Error also includes the entire URL, even for a POST/PUT/PATCH which may involve a sensitive URL.

Comments

The HTTP verb formatting is from net/http/client.go in urlErrorOp. I'd suggest that it should either make the verb all caps (like in the actual protocol and the http.MethodFoo constants), or leave it lower case.

I'd argue that it's the responsibility of the code calling request.Do to log the entire URL if appropriate. Having to perform a text search-and-replace on error strings to sanitize them before reporting them is undesirable.

Sample code

package main

import (
	"context"
	"log"
	"net/http"
)

func main() {
	ctx, cancel := context.WithTimeout(context.Background(), 1)
	defer cancel()
	req, err := http.NewRequestWithContext(ctx, "PATCH", "http://www.example.com/sensitiveurl", nil)
	if err != nil {
		panic(err)
	}
	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		log.Printf("Error processing request: %v", err)
	}
	defer resp.Body.Close()
}
@cagedmantis cagedmantis changed the title net/http returns non-idiomatic error messages that may leak sensitive info net/http: request returns non-idiomatic error messages that may leak sensitive info Jul 28, 2021
@cagedmantis cagedmantis added this to the Backlog milestone Jul 28, 2021
@cagedmantis
Copy link
Contributor

@cagedmantis cagedmantis commented Jul 28, 2021

/cc @neild

@neild
Copy link
Contributor

@neild neild commented Jul 28, 2021

http.Client methods always return a *url.Error.

The operation of the error (the url.Error.Op field) is always capitalized: Get, Put, Patch, etc. This has been the case since the type was added in 2009. Perhaps it would make more sense to return a fully-capitalized operation name (GET, PUT, etc.), but changing the text of these errors at this time will doubtless cause a great many failures in tests depending on the exact error text. I'm not certain that the pain of changing it would be worth any benefit.

http.Client methods include the URL of the failing request. The http package does attempt to strip passwords from request URLs in errors (client.go#1003), but it is of course possible for a URL to contain sensitive information, regardless of the HTTP verb used.

#44819 proposes adding a method to entirely omit URLs from error strings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants