diff options
author | Nick Thomas <nick@gitlab.com> | 2018-03-28 16:00:21 +0300 |
---|---|---|
committer | Nick Thomas <nick@gitlab.com> | 2018-03-28 16:00:21 +0300 |
commit | e51175062c0fada8fadc37f6fc96531ff750221b (patch) | |
tree | 50517afa2dc7c2678e1e574336d3bdb5bbb8f6c7 | |
parent | df613ba82df6e5a9b6a88fe695e2d29827cf44fa (diff) | |
parent | 9c295131dd7ee64bbc19f46521f8568f75498975 (diff) |
Merge branch '116-dont-log-query-strings' into 'master'
Resolve "Don't log query strings"
Closes #116
See merge request gitlab-org/gitlab-pages!77
-rw-r--r-- | logging.go | 22 | ||||
-rw-r--r-- | logging_test.go | 14 |
2 files changed, 32 insertions, 4 deletions
@@ -3,6 +3,7 @@ package main import ( "fmt" "net/http" + "net/url" "time" log "github.com/sirupsen/logrus" @@ -64,19 +65,32 @@ func (l *loggingResponseWriter) WriteHeader(status int) { l.rw.WriteHeader(status) } -func (l *loggingResponseWriter) Log(r *http.Request) { - fields := log.Fields{ +func (l *loggingResponseWriter) extractLogFields(r *http.Request) log.Fields { + referer := r.Referer() + parsedReferer, err := url.Parse(referer) + + // The referer query string may contain credentials, so remove if possible + if err == nil { + parsedReferer.RawQuery = "" + referer = parsedReferer.String() + } + + return log.Fields{ "host": r.Host, "remoteAddr": r.RemoteAddr, "method": r.Method, - "uri": r.RequestURI, + "uri": r.URL.Path, //The request query string may contain credentials "proto": r.Proto, "status": l.status, "written": l.written, - "referer": r.Referer(), + "referer": referer, "userAgent": r.UserAgent(), "duration": time.Since(l.started).Seconds(), } +} + +func (l *loggingResponseWriter) Log(r *http.Request) { + fields := l.extractLogFields(r) switch accessLogFormat { case "text": diff --git a/logging_test.go b/logging_test.go index bc557a71..8cabbde7 100644 --- a/logging_test.go +++ b/logging_test.go @@ -3,6 +3,7 @@ package main import ( "fmt" "net/http" + "net/http/httptest" "testing" "github.com/stretchr/testify/assert" @@ -28,6 +29,19 @@ func testLogWithDoubleStatus(ww http.ResponseWriter, r *http.Request) { http.Redirect(&w, r, "/test", 301) } +func TestExtractLogFieldsHidesQueryStrings(t *testing.T) { + w := httptest.NewRecorder() + r := httptest.NewRequest("GET", "/foo?token=bar", nil) + r.Header.Set("Referer", "http://invalid.com/bar?token=baz") + + l := newLoggingResponseWriter(w) + + fields := l.extractLogFields(r) + + assert.Equal(t, fields["uri"], "/foo") + assert.Equal(t, fields["referer"], "http://invalid.com/bar") +} + func TestLoggingWriter(t *testing.T) { assert.HTTPBodyContains(t, testLogWithStatus, "GET", "/test", nil, "with-status") assert.HTTPBodyContains(t, testLogWithoutStatus, "GET", "/test", nil, "no-status") |