From 6b34416026120c72fa63e260c228f3fce3497460 Mon Sep 17 00:00:00 2001 From: Shawn Wang Date: Fri, 25 Sep 2020 14:35:38 -0700 Subject: [PATCH] Fix Sensitive Header Censorship in Log - Add censoring of sensitive headers from being logged in _proxy() - Fix issue where Cookie and X-XSRF-TOKEN were not censored as intended Change-Id: I14b422a25b40d0014c05226f9ae4fe8be75e33fb --- vmware_nsxlib/v3/cluster.py | 6 +++++- vmware_nsxlib/v3/utils.py | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/vmware_nsxlib/v3/cluster.py b/vmware_nsxlib/v3/cluster.py index e9d8ac00..ebed497d 100644 --- a/vmware_nsxlib/v3/cluster.py +++ b/vmware_nsxlib/v3/cluster.py @@ -762,9 +762,13 @@ class ClusteredAPI(object): kwargs['headers'] = kwargs.get('headers', {}) kwargs['headers'].update(conn.default_headers) if not self._silent: + # To censor sensitive headers before logging + kwargs_copy = copy.copy(kwargs) + kwargs_copy['headers'] = utils.censor_headers( + kwargs_copy['headers']) LOG.debug("API cluster proxy %s %s to %s with %s. " "Waited conn: %2.4f, rate: %2.4f", - proxy_for.upper(), uri, url, kwargs, + proxy_for.upper(), uri, url, kwargs_copy, conn_data.conn_wait, conn_data.rate_wait) # call the actual connection method to do the diff --git a/vmware_nsxlib/v3/utils.py b/vmware_nsxlib/v3/utils.py index 50999aa4..016d7c00 100644 --- a/vmware_nsxlib/v3/utils.py +++ b/vmware_nsxlib/v3/utils.py @@ -64,7 +64,7 @@ def set_inject_headers_callback(callback): def censor_headers(headers): - censored_headers = ['authorization', 'X-XSRF-TOKEN', 'Cookie'] + censored_headers = ['authorization', 'x-xsrf-token', 'cookie'] result = {} for name, value in headers.items(): if name.lower() in censored_headers: