Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multi-address client: don't leak full request target in exception msg #2972

Merged
merged 2 commits into from
Jun 17, 2024
Merged

Multi-address client: don't leak full request target in exception msg #2972

merged 2 commits into from
Jun 17, 2024

Conversation

idelpivnitskiy
Copy link
Member

Motivation:

Request target may contain sensitive information, like secret query parameters or tokens in path. We should not include it as-is when MalformedURLException is thrown.

Modifications:

  • Change how MalformedURLException is generated to include only small substring of the request target in the exception message.

Result:

No risk to leak sensitive data in exception logs.

@idelpivnitskiy idelpivnitskiy requested a review from daschl June 16, 2024 17:22
@idelpivnitskiy idelpivnitskiy self-assigned this Jun 16, 2024
@idelpivnitskiy
Multi-address client: don't leak full request target in exception msg
6491807 
Motivation:

Request target may contain sensitive information, like secret query
parameters or tokens in path. We should not include it as-is when
`MalformedURLException` is thrown.

Modifications:

- Change how `MalformedURLException` is generated to include only small
substring of the request target in the exception message.

Result:

No risk to leak sensitive data in exception logs.
daschl
daschl reviewed Jun 17, 2024
View reviewed changes
...p-netty/src/main/java/io/servicetalk/http/netty/DefaultMultiAddressUrlHttpClientBuilder.java Outdated
final String name,
final String requestTarget) throws MalformedURLException {
if (value == null) {
// 8 characters should be enough to give users an idea of what's wrong with the passed URL without
Copy link
Contributor

@daschl daschl Jun 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we are only checking for scheme and host, what about omitting the path completely as part of the error? (understood that it could make it harder to figure out from the logs which request is affected .. but if the scheme is null at least they should have a host to look at).. if the host is null the code path might also be obvious-ish, since we have the call stack in the exception?

@idelpivnitskiy idelpivnitskiy requested a review from daschl June 17, 2024 07:01
@idelpivnitskiy idelpivnitskiy merged commit 7dad836 into apple:main Jun 17, 2024
11 checks passed
@idelpivnitskiy idelpivnitskiy deleted the address-leak branch June 17, 2024 15:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@daschl daschl daschl approved these changes

Assignees

@idelpivnitskiy idelpivnitskiy

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@idelpivnitskiy @daschl