diff --git a/cmd/http-tracer.go b/cmd/http-tracer.go index b3083fd2f..89239f7dc 100644 --- a/cmd/http-tracer.go +++ b/cmd/http-tracer.go @@ -23,6 +23,7 @@ import ( "net" "net/http" "reflect" + "regexp" "runtime" "strconv" "strings" @@ -80,6 +81,17 @@ func (r *recordRequest) Data() []byte { return logger.BodyPlaceHolder } +var ldapPwdRegex = regexp.MustCompile("(^.*?)LDAPPassword=([^&]*?)(&(.*?))?$") + +// redact LDAP password if part of string +func redactLDAPPwd(s string) string { + parts := ldapPwdRegex.FindStringSubmatch(s) + if len(parts) > 0 { + return parts[1] + "LDAPPassword=*REDACTED*" + parts[3] + } + return s +} + // getOpName sanitizes the operation name for mc func getOpName(name string) (op string) { op = strings.TrimPrefix(name, "github.com/minio/minio/cmd.") @@ -129,7 +141,7 @@ func WebTrace(ri *jsonrpc.RequestInfo) trace.Info { Proto: r.Proto, Method: r.Method, Path: SlashSeparator + pathJoin(vars["bucket"], vars["object"]), - RawQuery: r.URL.RawQuery, + RawQuery: redactLDAPPwd(r.URL.RawQuery), Client: handlers.GetSourceIP(r), Headers: reqHeaders, } diff --git a/cmd/http-tracer_test.go b/cmd/http-tracer_test.go new file mode 100644 index 000000000..5242f43b9 --- /dev/null +++ b/cmd/http-tracer_test.go @@ -0,0 +1,50 @@ +/* + * MinIO Cloud Storage, (C) 2021 MinIO, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package cmd + +import ( + "testing" +) + +// Test redactLDAPPwd() +func TestRedactLDAPPwd(t *testing.T) { + testCases := []struct { + query string + expectedQuery string + }{ + {"", ""}, + {"?Action=AssumeRoleWithLDAPIdentity&LDAPUsername=myusername&LDAPPassword=can+youreadthis%3F&Version=2011-06-15", + "?Action=AssumeRoleWithLDAPIdentity&LDAPUsername=myusername&LDAPPassword=*REDACTED*&Version=2011-06-15", + }, + {"LDAPPassword=can+youreadthis%3F&Version=2011-06-15&?Action=AssumeRoleWithLDAPIdentity&LDAPUsername=myusername", + "LDAPPassword=*REDACTED*&Version=2011-06-15&?Action=AssumeRoleWithLDAPIdentity&LDAPUsername=myusername", + }, + {"?Action=AssumeRoleWithLDAPIdentity&LDAPUsername=myusername&Version=2011-06-15&LDAPPassword=can+youreadthis%3F", + "?Action=AssumeRoleWithLDAPIdentity&LDAPUsername=myusername&Version=2011-06-15&LDAPPassword=*REDACTED*", + }, + { + "?x=y&a=b", + "?x=y&a=b", + }, + } + for i, test := range testCases { + gotQuery := redactLDAPPwd(test.query) + if gotQuery != test.expectedQuery { + t.Fatalf("test %d: expected %s got %s", i+1, test.expectedQuery, gotQuery) + } + } +}