Sensitive information leak in recovery middleware

[lacombar]

• go version: 1.10
• gin version (or commit ref): b869fe1
• operating system: Fedora

Description

As of v1.3.0, the recovery middleware is dumping the request header which can leak sensitive information such a login credentials & API key. In turn, these informations can end up in logs or even in the public space, such as:

https://community.getchannels.com/t/recovery-panic-recovered/1091

I'm not sure of the right way to fix this, but a set of nice-to-have knobs would be:

• obfuscate a set of headers by default
• allow configuration of this set of headers
• let API builder turn this off explicitly.

Screenshots

2018/09/20 19:32:07 [Recovery] 2018/09/20 - 19:32:07 panic recovered:
GET /v1/path/7e97cae5-e779-4d1c-6150-971e0a8b6f31 HTTP/1.1        
Accept-Encoding: gzip                                                
Authorization: bearer DUMMY                                          
Connection: close                                                    
Content-Type: application/json                                       
User-Agent: Go-http-client/1.1

[thinkerou]

duplicated #1331

[appleboy]

PR has been merged. #1370