From 634d45ed94047f99ac06857975bee3b1ca147c82 Mon Sep 17 00:00:00 2001 From: JiaJunsu Date: Wed, 30 Nov 2016 13:44:09 -0800 Subject: [PATCH] Filter X-Auth-Token in catch_errors If X-Auth-Token is logged in files, it may be caught by attackers. This patch tries to replace token-id by * in log files. Change-Id: Icf0cd9d4da37575d79a0da94ade979793ad0d3fa Closes-Bug:#1646254 --- oslo_middleware/catch_errors.py | 2 ++ oslo_middleware/tests/test_catch_errors.py | 3 +++ 2 files changed, 5 insertions(+) diff --git a/oslo_middleware/catch_errors.py b/oslo_middleware/catch_errors.py index 43d085f..782713b 100644 --- a/oslo_middleware/catch_errors.py +++ b/oslo_middleware/catch_errors.py @@ -37,6 +37,8 @@ class CatchErrors(base.ConfigurableMiddleware): try: response = req.get_response(self.application) except Exception: + if hasattr(req, 'environ') and 'HTTP_X_AUTH_TOKEN' in req.environ: + req.environ['HTTP_X_AUTH_TOKEN'] = '*****' LOG.exception(_LE('An error occurred during ' 'processing the request: %s'), req) response = webob.exc.HTTPInternalServerError() diff --git a/oslo_middleware/tests/test_catch_errors.py b/oslo_middleware/tests/test_catch_errors.py index 920bbe2..66351e5 100644 --- a/oslo_middleware/tests/test_catch_errors.py +++ b/oslo_middleware/tests/test_catch_errors.py @@ -26,6 +26,7 @@ class CatchErrorsTest(test_base.BaseTestCase): def _test_has_request_id(self, application, expected_code=None): app = catch_errors.CatchErrors(application) req = webob.Request.blank('/test') + req.environ['HTTP_X_AUTH_TOKEN'] = 'hello=world' res = req.get_response(app) self.assertEqual(expected_code, res.status_int) @@ -45,3 +46,5 @@ class CatchErrorsTest(test_base.BaseTestCase): self._test_has_request_id(application, webob.exc.HTTPInternalServerError.code) self.assertEqual(1, log_exc.call_count) + req_log = log_exc.call_args[0][1] + self.assertIn('X-Auth-Token: *****', str(req_log))