Fix Sensitive Header Censorship in Log

- Add censoring of sensitive headers from being logged in _proxy()
- Fix issue where Cookie and X-XSRF-TOKEN were not censored as intended

Change-Id: I14b422a25b40d0014c05226f9ae4fe8be75e33fb
(cherry picked from commit 6b34416026)
This commit is contained in:
Shawn Wang 2020-09-25 14:35:38 -07:00
parent 8e7075b69d
commit d47b0adf73
No known key found for this signature in database
GPG Key ID: C98A86CC967E89A7
2 changed files with 6 additions and 2 deletions

View File

@ -762,9 +762,13 @@ class ClusteredAPI(object):
kwargs['headers'] = kwargs.get('headers', {})
kwargs['headers'].update(conn.default_headers)
if not self._silent:
# To censor sensitive headers before logging
kwargs_copy = copy.copy(kwargs)
kwargs_copy['headers'] = utils.censor_headers(
kwargs_copy['headers'])
LOG.debug("API cluster proxy %s %s to %s with %s. "
"Waited conn: %2.4f, rate: %2.4f",
proxy_for.upper(), uri, url, kwargs,
proxy_for.upper(), uri, url, kwargs_copy,
conn_data.conn_wait, conn_data.rate_wait)
# call the actual connection method to do the

View File

@ -64,7 +64,7 @@ def set_inject_headers_callback(callback):
def censor_headers(headers):
censored_headers = ['authorization']
censored_headers = ['authorization', 'x-xsrf-token', 'cookie']
result = {}
for name, value in headers.items():
if name.lower() in censored_headers: