diff options
author | Jamie Lennox <jamielennox@gmail.com> | 2016-09-28 15:03:53 +1000 |
---|---|---|
committer | Mehdi Abaakouk <sileht@sileht.net> | 2017-01-26 17:44:07 +0100 |
commit | df5c11ddcc06cd0b4f1ced99d7bdc1213e5eb646 (patch) | |
tree | 10ccd6f0f1502c87e2ca40ba0305c75a4fccef3e | |
parent | 5307c7e43f32ff4d3c1b3a742718f6085296fdf6 (diff) | |
download | oslo-middleware-df5c11ddcc06cd0b4f1ced99d7bdc1213e5eb646.tar.gz |
Filter token data out of catch_errors middleware3.23.1
If an exception is caught by the catch_errors middleware the entire
request is dumped into the log including sensitive information like
tokens. Filter that information before outputting the failed request.
Closes-Bug: #1628031
Change-Id: I2563403993513c37751576223275350cac2e0937
-rw-r--r-- | oslo_middleware/catch_errors.py | 8 | ||||
-rw-r--r-- | oslo_middleware/tests/test_catch_errors.py | 25 |
2 files changed, 30 insertions, 3 deletions
diff --git a/oslo_middleware/catch_errors.py b/oslo_middleware/catch_errors.py index 782713b..8ffd252 100644 --- a/oslo_middleware/catch_errors.py +++ b/oslo_middleware/catch_errors.py @@ -14,6 +14,7 @@ # under the License. import logging +import re import webob.dec import webob.exc @@ -24,6 +25,8 @@ from oslo_middleware import base LOG = logging.getLogger(__name__) +_TOKEN_RE = re.compile('^(X-\w+-Token):.*$', flags=re.MULTILINE) + class CatchErrors(base.ConfigurableMiddleware): """Middleware that provides high-level error handling. @@ -37,9 +40,8 @@ class CatchErrors(base.ConfigurableMiddleware): try: response = req.get_response(self.application) except Exception: - if hasattr(req, 'environ') and 'HTTP_X_AUTH_TOKEN' in req.environ: - req.environ['HTTP_X_AUTH_TOKEN'] = '*****' + req_str = _TOKEN_RE.sub(r'\1: *****', req.as_text()) LOG.exception(_LE('An error occurred during ' - 'processing the request: %s'), req) + 'processing the request: %s'), req_str) response = webob.exc.HTTPInternalServerError() return response diff --git a/oslo_middleware/tests/test_catch_errors.py b/oslo_middleware/tests/test_catch_errors.py index 66351e5..7a06218 100644 --- a/oslo_middleware/tests/test_catch_errors.py +++ b/oslo_middleware/tests/test_catch_errors.py @@ -13,6 +13,7 @@ # License for the specific language governing permissions and limitations # under the License. +import fixtures import mock from oslotest import base as test_base import webob.dec @@ -48,3 +49,27 @@ class CatchErrorsTest(test_base.BaseTestCase): self.assertEqual(1, log_exc.call_count) req_log = log_exc.call_args[0][1] self.assertIn('X-Auth-Token: *****', str(req_log)) + + def test_filter_tokens_from_log(self): + logger = self.useFixture(fixtures.FakeLogger(nuke_handlers=False)) + + @webob.dec.wsgify + def application(req): + raise Exception() + + app = catch_errors.CatchErrors(application) + req = webob.Request.blank('/test', + text=u'test data', + method='POST', + headers={'X-Auth-Token': 'secret1', + 'X-Service-Token': 'secret2', + 'X-Other-Token': 'secret3'}) + res = req.get_response(app) + self.assertEqual(500, res.status_int) + + output = logger.output + + self.assertIn('X-Auth-Token: *****', output) + self.assertIn('X-Service-Token: *****', output) + self.assertIn('X-Other-Token: *****', output) + self.assertIn('test data', output) |