[jira] [Commented] (HTTPCLIENT-2138) Debug Log level logs sensitive information

Wed, 17 Feb 2021 13:17:04 -0800 


    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-2138?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17286145#comment-17286145
 ] 

Cyrus Vafadari commented on HTTPCLIENT-2138:
--------------------------------------------

Thanks for the response, [~michael-o],

 

In the class `Header`, add a method like `maskedString()` that will be similar 
to `toString`, but if any header has a key that is known to to contain 
sensitive information (Authorization, Proxy-Authorization) to mask the values 
of those fields. Then any debug method will use this method to print the 
Headers rather than existing method (seems to be 

[https://github.com/apache/httpcomponents-client/blob/rel/v4.5.11/httpclient/src/main/java/org/apache/http/impl/conn/LoggingManagedHttpClientConnection.java#L135]

 

I think using that same method here would be sufficient, please correct me if 
I'm wrong! 

 

The two concerns that jump out at me:

 - Should we backport farther than 5.0.x (I happen to be using 4.5.x, but could 
upgrade if I had to. Would be open to your advice)

 - Does this remove valuable debug information for some people (I don't think 
so, hopefully we don't think this needs to be configurable)

> Debug Log level logs sensitive information
> ------------------------------------------
>
>                 Key: HTTPCLIENT-2138
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2138
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient (classic)
>            Reporter: Cyrus Vafadari
>            Priority: Major
>
> When I enable debug level logging, I see
> ```
> [2021-01-20 18:02:35,862] DEBUG http-outgoing-0 >> Authorization: Basic 
> <CREDENTIALS_APPEAR_HEAR_IN_BASE64> (org.apache.http.headers:139) [2021-01-20 
> 18:02:35,884] DEBUG http-outgoing-0 >> "Authorization: Basic 
> <CREDENTIALS_APPEAR_HEAR_IN_BASE64>[\r][\n]" (org.apache.http.wire:54) 
> [2021-01-20 18:02:35,899] DEBUG http-outgoing-0 << " <title>Unauthorized 
> (401)</title>[\n]" (org.apache.http.wire:54)
> ```
> If agreed, I can open a PR to mask secrets in the debug log. If that makes 
> the log less useful, I can at least make this configurable, since in my case 
> it is a security violation to have any secrets whatsover in the logs



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to