You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
91 lines
3.4 KiB
91 lines
3.4 KiB
8 years ago
|
From 095e90929d114e4b6cece67cb405741c14747356 Mon Sep 17 00:00:00 2001
|
||
|
From: Jamie Lennox <jamielennox@gmail.com>
|
||
|
Date: Wed, 28 Sep 2016 15:03:53 +1000
|
||
|
Subject: [PATCH] Filter token data out of catch_errors middleware
|
||
|
|
||
|
If an exception is caught by the catch_errors middleware the entire
|
||
|
request is dumped into the log including sensitive information like
|
||
|
tokens. Filter that information before outputting the failed request.
|
||
|
|
||
|
Closes-Bug: #1628031
|
||
|
Change-Id: I2563403993513c37751576223275350cac2e0937
|
||
|
---
|
||
|
oslo_middleware/catch_errors.py | 6 +++++-
|
||
|
oslo_middleware/tests/test_catch_errors.py | 25 +++++++++++++++++++++++++
|
||
|
2 files changed, 30 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/oslo_middleware/catch_errors.py b/oslo_middleware/catch_errors.py
|
||
|
index 43d085f..0934fc5 100644
|
||
|
--- a/oslo_middleware/catch_errors.py
|
||
|
+++ b/oslo_middleware/catch_errors.py
|
||
|
@@ -14,6 +14,7 @@
|
||
|
# under the License.
|
||
|
|
||
|
import logging
|
||
|
+import re
|
||
|
|
||
|
import webob.dec
|
||
|
import webob.exc
|
||
|
@@ -24,6 +25,8 @@ from oslo_middleware import base
|
||
|
|
||
|
LOG = logging.getLogger(__name__)
|
||
|
|
||
|
+_TOKEN_RE = re.compile('^(X-\w+-Token):.*$', flags=re.MULTILINE)
|
||
|
+
|
||
|
|
||
|
class CatchErrors(base.ConfigurableMiddleware):
|
||
|
"""Middleware that provides high-level error handling.
|
||
|
@@ -37,7 +40,8 @@ class CatchErrors(base.ConfigurableMiddleware):
|
||
|
try:
|
||
|
response = req.get_response(self.application)
|
||
|
except Exception:
|
||
|
+ req_str = _TOKEN_RE.sub(r'\1: <removed>', req.as_text())
|
||
|
LOG.exception(_LE('An error occurred during '
|
||
|
- 'processing the request: %s'), req)
|
||
|
+ 'processing the request: %s'), req_str)
|
||
|
response = webob.exc.HTTPInternalServerError()
|
||
|
return response
|
||
|
diff --git a/oslo_middleware/tests/test_catch_errors.py b/oslo_middleware/tests/test_catch_errors.py
|
||
|
index 920bbe2..0b675e2 100644
|
||
|
--- a/oslo_middleware/tests/test_catch_errors.py
|
||
|
+++ b/oslo_middleware/tests/test_catch_errors.py
|
||
|
@@ -13,6 +13,7 @@
|
||
|
# License for the specific language governing permissions and limitations
|
||
|
# under the License.
|
||
|
|
||
|
+import fixtures
|
||
|
import mock
|
||
|
from oslotest import base as test_base
|
||
|
import webob.dec
|
||
|
@@ -45,3 +46,27 @@ class CatchErrorsTest(test_base.BaseTestCase):
|
||
|
self._test_has_request_id(application,
|
||
|
webob.exc.HTTPInternalServerError.code)
|
||
|
self.assertEqual(1, log_exc.call_count)
|
||
|
+
|
||
|
+ def test_filter_tokens_from_log(self):
|
||
|
+ logger = self.useFixture(fixtures.FakeLogger(nuke_handlers=False))
|
||
|
+
|
||
|
+ @webob.dec.wsgify
|
||
|
+ def application(req):
|
||
|
+ raise Exception()
|
||
|
+
|
||
|
+ app = catch_errors.CatchErrors(application)
|
||
|
+ req = webob.Request.blank('/test',
|
||
|
+ text=u'test data',
|
||
|
+ method='POST',
|
||
|
+ headers={'X-Auth-Token': 'secret1',
|
||
|
+ 'X-Service-Token': 'secret2',
|
||
|
+ 'X-Other-Token': 'secret3'})
|
||
|
+ res = req.get_response(app)
|
||
|
+ self.assertEqual(500, res.status_int)
|
||
|
+
|
||
|
+ output = logger.output
|
||
|
+
|
||
|
+ self.assertIn('X-Auth-Token: <removed>', output)
|
||
|
+ self.assertIn('X-Service-Token: <removed>', output)
|
||
|
+ self.assertIn('X-Other-Token: <removed>', output)
|
||
|
+ self.assertIn('test data', output)
|
||
|
--
|
||
|
2.7.4
|
||
|
|