requestlog: redact UIA passwords (#39)

beeper · Jan 27, 2025 · a68da76 · a68da76
1 parent a1a4fb2
commit a68da76
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 0 deletions.
diff --git a/go.mod b/go.mod
@@ -5,6 +5,8 @@ go 1.21
 require (
 	github.com/aws/aws-sdk-go v1.49.9
 	github.com/rs/zerolog v1.33.0
+	github.com/tidwall/gjson v1.14.2
+	github.com/tidwall/sjson v1.2.5
 	sigs.k8s.io/aws-iam-authenticator v0.6.16
 )
 
@@ -29,6 +31,8 @@ require (
 	github.com/prometheus/procfs v0.8.0 // indirect
 	github.com/rs/xid v1.5.0 // indirect
 	github.com/sirupsen/logrus v1.8.1 // indirect
+	github.com/tidwall/match v1.1.1 // indirect
+	github.com/tidwall/pretty v1.2.0 // indirect
 	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/text v0.13.0 // indirect

diff --git a/go.sum b/go.sum
@@ -235,6 +235,14 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/tidwall/gjson v1.14.2 h1:6BBkirS0rAHjumnjHF6qgy5d2YAJ1TLIaFE2lzfOLqo=
+github.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
+github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
+github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs=
+github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY=
+github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=

diff --git a/pkg/requestlog/accesslogger.go b/pkg/requestlog/accesslogger.go
@@ -4,11 +4,14 @@ import (
 	"bytes"
 	"encoding/json"
 	"net/http"
+	"regexp"
 	"runtime/debug"
 	"time"
 
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/hlog"
+	"github.com/tidwall/gjson"
+	"github.com/tidwall/sjson"
 )
 
 const MaxRequestSizeLog = 4 * 1024
@@ -113,15 +116,25 @@ func AccessLogger(logOptions bool) func(http.Handler) http.Handler {
 	}
 }
 
+var hackyPasswordRegex = regexp.MustCompile(`"password":"[^"]+(?:"|$)`)
+var hackyPasswordReplacement = []byte(`"password":"<redacted>"`)
+
 func logRequestMaybeJSON(evt *zerolog.Event, key string, data []byte) {
 	data = removeNewlines(data)
 	if json.Valid(data) {
+		if gjson.GetBytes(data, "auth.password").Exists() {
+			newData, _ := sjson.SetBytesOptions(data, "auth.password", "<redacted>", &sjson.Options{Optimistic: true})
+			if newData != nil {
+				data = newData
+			}
+		}
 		evt.RawJSON(key, data)
 	} else {
 		// Logging as a string will create lots of escaping and it's not valid json anyway, so cut off a bit more
 		if len(data) > MaxStringRequestSizeLog {
 			data = data[:MaxStringRequestSizeLog]
 		}
+		data = hackyPasswordRegex.ReplaceAll(data, hackyPasswordReplacement)
 		evt.Bytes(key+"_invalid", data)
 	}
 }