Don't log request or referer query strings

author: Nick Thomas <nick@gitlab.com> 2018-03-26 19:59:50 +0300
committer: Nick Thomas <nick@gitlab.com> 2018-03-28 15:46:09 +0300
commit: 9c295131dd7ee64bbc19f46521f8568f75498975 (patch)
tree: 50517afa2dc7c2678e1e574336d3bdb5bbb8f6c7 /logging_test.go
parent: df613ba82df6e5a9b6a88fe695e2d29827cf44fa (diff)
1 files changed, 14 insertions, 0 deletions
diff --git a/logging_test.go b/logging_test.go
index bc557a71..8cabbde7 100644
--- a/logging_test.go
+++ b/logging_test.go
@@ -3,6 +3,7 @@ package main
 import (
 	"fmt"
 	"net/http"
+	"net/http/httptest"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -28,6 +29,19 @@ func testLogWithDoubleStatus(ww http.ResponseWriter, r *http.Request) {
 	http.Redirect(&w, r, "/test", 301)
 }
 
+func TestExtractLogFieldsHidesQueryStrings(t *testing.T) {
+	w := httptest.NewRecorder()
+	r := httptest.NewRequest("GET", "/foo?token=bar", nil)
+	r.Header.Set("Referer", "http://invalid.com/bar?token=baz")
+
+	l := newLoggingResponseWriter(w)
+
+	fields := l.extractLogFields(r)
+
+	assert.Equal(t, fields["uri"], "/foo")
+	assert.Equal(t, fields["referer"], "http://invalid.com/bar")
+}
+
 func TestLoggingWriter(t *testing.T) {
 	assert.HTTPBodyContains(t, testLogWithStatus, "GET", "/test", nil, "with-status")
 	assert.HTTPBodyContains(t, testLogWithoutStatus, "GET", "/test", nil, "no-status")
author	Nick Thomas <nick@gitlab.com>	2018-03-26 19:59:50 +0300
committer	Nick Thomas <nick@gitlab.com>	2018-03-28 15:46:09 +0300
commit	9c295131dd7ee64bbc19f46521f8568f75498975 (patch)
tree	50517afa2dc7c2678e1e574336d3bdb5bbb8f6c7 /logging_test.go
parent	df613ba82df6e5a9b6a88fe695e2d29827cf44fa (diff)