Skip to content
This repository has been archived by the owner on Jan 12, 2024. It is now read-only.

Commit

Permalink
fix: redact sensitive header in error message (#254)
Browse files Browse the repository at this point in the history
  • Loading branch information
mayitbeegh authored Mar 17, 2020
1 parent 16d766e commit e0cd5c3
Showing 1 changed file with 19 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -17,14 +17,18 @@
package com.nike.cerberus.error;

import com.codahale.metrics.Counter;
import com.google.common.collect.ImmutableSet;
import com.nike.backstopper.apierror.ApiError;
import com.nike.backstopper.handler.ApiExceptionHandlerUtils;
import com.nike.backstopper.handler.RequestInfoForLogging;
import com.nike.cerberus.metric.MetricsService;
import com.nike.internal.util.Pair;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Primary;
import org.springframework.stereotype.Component;
Expand All @@ -46,6 +50,9 @@ public class SfxAwareApiExceptionHandlerUtils extends ApiExceptionHandlerUtils {
public static final String CONTRIBUTING_ERRORS_DIM_KEY = "contributing_errors";
/** The name/key of the exception class dimension applied to the API errors metric. */
public static final String EXCEPTION_CLASS_DIM_KEY = "exception_class";
/** The names/keys of sensitive HTTP headers in lower case. */
public static final Set<String> sensitiveHeaderNamesInLowerCase =
ImmutableSet.of("authorization", "x-amz-security-token", "x-cerberus-token", "x-vault-token");

private final MetricsService metricsService;

Expand All @@ -62,6 +69,7 @@ public String buildErrorMessageForLogs(
Integer httpStatusCode,
Throwable cause,
List<Pair<String, String>> extraDetailsForLogging) {
redactSensitiveHeaders(request);
try {
// Do the normal logging thing.
return super.buildErrorMessageForLogs(
Expand All @@ -81,4 +89,15 @@ public String buildErrorMessageForLogs(
.inc();
}
}

protected void redactSensitiveHeaders(RequestInfoForLogging request) {
List<String> redactedHeaderValue = Arrays.asList("REDACTED");

Map<String, List<String>> headersMap = request.getHeadersMap();
Set<String> headerNames =
headersMap.keySet().stream()
.filter(name -> sensitiveHeaderNamesInLowerCase.contains(name.toLowerCase()))
.collect(Collectors.toSet());
headerNames.stream().forEach(name -> headersMap.put(name, redactedHeaderValue));
}
}

0 comments on commit e0cd5c3

Please sign in to comment.