From ae9d18cb8acadefc53bede2d30ffca69e3ada718 Mon Sep 17 00:00:00 2001 From: Anna Khmelnitsky Date: Wed, 12 Feb 2020 13:01:55 -0800 Subject: [PATCH] Avoid logging sensitive information in http header Change-Id: Ic30b8075cd46632ea68f04c15028b804f63b3947 --- vmware_nsxlib/v3/client.py | 3 ++- vmware_nsxlib/v3/cluster.py | 4 +++- vmware_nsxlib/v3/utils.py | 12 ++++++++++++ 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/vmware_nsxlib/v3/client.py b/vmware_nsxlib/v3/client.py index b3754cc4..3e4d7bec 100644 --- a/vmware_nsxlib/v3/client.py +++ b/vmware_nsxlib/v3/client.py @@ -224,7 +224,8 @@ class RESTClient(object): if not silent: LOG.debug("REST call: %s %s. Headers: %s. Body: %s", - method, request_url, request_headers, + method, request_url, + utils.censor_headers(request_headers), self._mask_password(body)) ts = time.time() diff --git a/vmware_nsxlib/v3/cluster.py b/vmware_nsxlib/v3/cluster.py index a712d483..ccf904ab 100644 --- a/vmware_nsxlib/v3/cluster.py +++ b/vmware_nsxlib/v3/cluster.py @@ -323,7 +323,9 @@ class NSXRequestsHTTPProvider(AbstractHTTPProvider): resp.headers[header_name]) LOG.info("Session create succeeded for endpoint %(url)s with " "headers %(hdr)s", - {'url': provider.url, 'hdr': session.default_headers}) + {'url': provider.url, + 'hdr': + utils.censor_headers(session.default_headers)}) class NSXHTTPAdapter(adapters.HTTPAdapter): diff --git a/vmware_nsxlib/v3/utils.py b/vmware_nsxlib/v3/utils.py index 62c0d55a..dfcc12e7 100644 --- a/vmware_nsxlib/v3/utils.py +++ b/vmware_nsxlib/v3/utils.py @@ -62,6 +62,18 @@ def set_inject_headers_callback(callback): INJECT_HEADERS_CALLBACK = callback +def censor_headers(headers): + censored_headers = ['authorization'] + result = {} + for name, value in headers.items(): + if name.lower() in censored_headers: + result[name] = '--- CENSORED ---' + else: + result[name] = value + + return result + + def _update_resource_length(length): global MAX_RESOURCE_TYPE_LEN MAX_RESOURCE_TYPE_LEN = length