Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make sure we don't log sensitive query params in the st2api log file #4592

Merged
merged 7 commits into from
Mar 13, 2019
Merged

Make sure we don't log sensitive query params in the st2api log file #4592

merged 7 commits into from
Mar 13, 2019

Conversation

Kami
Copy link
Member

@Kami Kami commented Mar 13, 2019
edited
Loading

Our logging middleware didn't mask / remove auth token and api key values if those were provided via query parameters and not headers.

This pull request fixes that.

Keep in mind that providing it as header is still preferred, especially when integrating with 3rd party services, because a lot of services log actual full URL with a query string which could mean leaking those values there. I will add a note about that to the docs.

Resolves #4589.

Also, as commented on #4589, I believe that issue actually talks about token being logged in a loadbalancer log or similar because the log line doesn't look anything like st2api log line. In that scenario we can't do anything about that and that's why I mentioned above, using headers is preferred (and I will also document that).

TODO

  • Tests
  • Documentation change

@Kami
Make sure we don't log API key inside st2api log file if API key is
dece1e8 
provided using "?st2-api-key" query parameter.
@Kami Kami added the bug label Mar 13, 2019
@Kami
Also mask query parameters which are defined in
2dd806d 
MASKED_ATTRIBUTES_BLACKLIST constant and log.mask_secrets_blacklist
config option.
@Kami Kami added the security label Mar 13, 2019
@Kami Kami added this to the 2.10.4 milestone Mar 13, 2019
@Kami Kami mentioned this pull request Mar 13, 2019
Merged
@Kami
Copy link
Member Author

Kami commented Mar 13, 2019

I forgot I already added a note about that to the docs in the past so I only made a small formatting change - StackStorm/st2docs#866.

bigmstone
bigmstone approved these changes Mar 13, 2019
View reviewed changes
Copy link
Contributor

@bigmstone bigmstone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@Kami Kami merged commit 89bf032 into master Mar 13, 2019
@Kami Kami deleted the mask_secret_query_param_in_api_logs branch March 13, 2019 14:53
@Kami Kami mentioned this pull request Mar 13, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bigmstone bigmstone bigmstone approved these changes

Assignees
No one assigned
Labels
bug security
Projects
None yet
Milestone
2.10.4
Development

Successfully merging this pull request may close these issues.

The api key in the st2api log is not obfuscated
2 participants
@Kami @bigmstone