Filter token data out of catch_errors middlewarenewton-eol 3.19.1 stable/newton

If an exception is caught by the catch_errors middleware the entire request is dumped into the log including sensitive information like tokens. Filter that information before outputting the failed request. Closes-Bug: #1628031 Change-Id: I2563403993513c37751576223275350cac2e0937
author: Jamie Lennox <jamielennox@gmail.com> 2016-09-28 15:03:53 +1000
committer: Jeremy Stanley <fungi@yuggoth.org> 2017-01-26 18:25:45 +0000
commit: 6c0f50c1f5f4122b31dbfe25aacdce596bf4b648 (patch)
tree: 929e623a758807e52f697c89f47ea41f16bb2115 /oslo_middleware/tests/test_catch_errors.py
parent: 5b6a04b48354f50baa58112a06e1ede84f00df1a (diff)
download: oslo-middleware-6c0f50c1f5f4122b31dbfe25aacdce596bf4b648.tar.gz
1 files changed, 25 insertions, 0 deletions
diff --git a/oslo_middleware/tests/test_catch_errors.py b/oslo_middleware/tests/test_catch_errors.py
index 920bbe2..0b675e2 100644
--- a/oslo_middleware/tests/test_catch_errors.py
+++ b/oslo_middleware/tests/test_catch_errors.py
@@ -13,6 +13,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import fixtures
 import mock
 from oslotest import base as test_base
 import webob.dec
@@ -45,3 +46,27 @@ class CatchErrorsTest(test_base.BaseTestCase):
             self._test_has_request_id(application,
                                       webob.exc.HTTPInternalServerError.code)
             self.assertEqual(1, log_exc.call_count)
+
+    def test_filter_tokens_from_log(self):
+        logger = self.useFixture(fixtures.FakeLogger(nuke_handlers=False))
+
+        @webob.dec.wsgify
+        def application(req):
+            raise Exception()
+
+        app = catch_errors.CatchErrors(application)
+        req = webob.Request.blank('/test',
+                                  text=u'test data',
+                                  method='POST',
+                                  headers={'X-Auth-Token': 'secret1',
+                                           'X-Service-Token': 'secret2',
+                                           'X-Other-Token': 'secret3'})
+        res = req.get_response(app)
+        self.assertEqual(500, res.status_int)
+
+        output = logger.output
+
+        self.assertIn('X-Auth-Token: <removed>', output)
+        self.assertIn('X-Service-Token: <removed>', output)
+        self.assertIn('X-Other-Token: <removed>', output)
+        self.assertIn('test data', output)
author	Jamie Lennox <jamielennox@gmail.com>	2016-09-28 15:03:53 +1000
committer	Jeremy Stanley <fungi@yuggoth.org>	2017-01-26 18:25:45 +0000
commit	6c0f50c1f5f4122b31dbfe25aacdce596bf4b648 (patch)
tree	929e623a758807e52f697c89f47ea41f16bb2115 /oslo_middleware/tests/test_catch_errors.py
parent	5b6a04b48354f50baa58112a06e1ede84f00df1a (diff)
download	oslo-middleware-6c0f50c1f5f4122b31dbfe25aacdce596bf4b648.tar.gz