Sanitize sensitive fields in http.query()

2024-11-07 17:09:03 +00:00 · 2015-07-23 11:08:36 -06:00 · 2015-07-23 11:08:36 -06:00 · 1531e9035e
commit 1531e9035e
parent 13ecf3162f
2 changed files with 35 additions and 3 deletions
--- a/salt/cloud/clouds/vultrpy.py
+++ b/salt/cloud/clouds/vultrpy.py
@ -313,6 +313,7 @@ def _query(path, method='GET', data=None, params=None, header_dict=None, decode=
        text=True,
        decode=decode,
        decode_type='json',
+        hide_fields=['api_key'],
        opts=__opts__,
    )

--- a/salt/utils/http.py
+++ b/salt/utils/http.py
@ -120,6 +120,7 @@ def query(url,
          stream=False,
          handle=False,
          agent=USERAGENT,
+          hide_fields=None,
          **kwargs):
    '''
    Query a resource, and decode the return data
@ -175,9 +176,19 @@ def query(url,
            data_file, data_render, data_renderer, template_dict, opts
        )

-    log.debug('Requesting URL {0} using {1} method'.format(url_full, method))
+    # Make sure no secret fields show up in logs
+    log_url = sanitize_url(url_full, hide_fields)
+
+    log.debug('Requesting URL {0} using {1} method'.format(log_url, method))
    if method == 'POST':
-        log.trace('Request POST Data: {0}'.format(pprint.pformat(data)))
+        # Make sure no secret fields show up in logs
+        log_data = data.copy()
+        if isinstance(data, dict):
+            for item in data:
+                for field in hide_fields:
+                    if item == field:
+                        log_data[item] = 'XXXXXXXXXX'
+        log.trace('Request POST Data: {0}'.format(pprint.pformat(log_data)))

    if header_file is not None:
        header_tpl = _render(
@ -286,7 +297,7 @@ def query(url,
        if stream is True or handle is True:
            return {'handle': result}

-        log.debug('Final URL location of Response: {0}'.format(result.url))
+        log.debug('Final URL location of Response: {0}'.format(sanitize_url(result.url, hide_fields)))

        result_status_code = result.status_code
        result_headers = result.headers
@ -753,3 +764,23 @@ def parse_cookie_header(header):
        ret.append(salt.ext.six.moves.http_cookiejar.Cookie(name=name, value=value, **cookie))

    return ret
+
+
+def sanitize_url(url, hide_fields):
+    '''
+    Make sure no secret fields show up in logs
+    '''
+    if isinstance(hide_fields, list):
+        url_comps = urllib.splitquery(url)
+        log_url = url_comps[0]
+        if len(url_comps) > 1:
+            log_url += '?'
+        for pair in url_comps[1:]:
+            for field in hide_fields:
+                if pair.startswith('{0}='.format(field)):
+                    log_url += '{0}=XXXXXXXXXX&'.format(field)
+                else:
+                    log_url += '{0}&'.format(pair)
+        return log_url.rstrip('&')
+    else:
+        return str(url)