Filter X-Auth-Token in catch_errors

If X-Auth-Token is logged in files, it may be caught by attackers. This patch tries to replace token-id by * in log files. Change-Id: Icf0cd9d4da37575d79a0da94ade979793ad0d3fa Closes-Bug:#1646254
2016-11-30 13:44:09 -08:00 · 2016-11-30 13:44:09 -08:00 · 634d45ed94
parent 78bffce487
commit 634d45ed94
2 changed files with 5 additions and 0 deletions
--- a/oslo_middleware/catch_errors.py
+++ b/oslo_middleware/catch_errors.py
@ -37,6 +37,8 @@ class CatchErrors(base.ConfigurableMiddleware):
        try:
            response = req.get_response(self.application)
        except Exception:
+            if hasattr(req, 'environ') and 'HTTP_X_AUTH_TOKEN' in req.environ:
+                req.environ['HTTP_X_AUTH_TOKEN'] = '*****'
            LOG.exception(_LE('An error occurred during '
                              'processing the request: %s'), req)
            response = webob.exc.HTTPInternalServerError()
--- a/oslo_middleware/tests/test_catch_errors.py
+++ b/oslo_middleware/tests/test_catch_errors.py
@ -26,6 +26,7 @@ class CatchErrorsTest(test_base.BaseTestCase):
    def _test_has_request_id(self, application, expected_code=None):
        app = catch_errors.CatchErrors(application)
        req = webob.Request.blank('/test')
+        req.environ['HTTP_X_AUTH_TOKEN'] = 'hello=world'
        res = req.get_response(app)
        self.assertEqual(expected_code, res.status_int)

@ -45,3 +46,5 @@ class CatchErrorsTest(test_base.BaseTestCase):
            self._test_has_request_id(application,
                                      webob.exc.HTTPInternalServerError.code)
            self.assertEqual(1, log_exc.call_count)
+            req_log = log_exc.call_args[0][1]
+            self.assertIn('X-Auth-Token: *****', str(req_log))