From 7d5047c1f190421528695e1cc3a4ad71c97eb022 Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Mon, 22 Nov 2021 11:31:50 -0700 Subject: [PATCH] caddyhttp: Log empty value for typical password headers Work around for common misconfiguration --- modules/caddyhttp/marshalers.go | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/modules/caddyhttp/marshalers.go b/modules/caddyhttp/marshalers.go index 8001bd8f..bbb703cc 100644 --- a/modules/caddyhttp/marshalers.go +++ b/modules/caddyhttp/marshalers.go @@ -17,6 +17,7 @@ package caddyhttp import ( "crypto/tls" "net/http" + "strings" "go.uber.org/zap/zapcore" ) @@ -39,6 +40,8 @@ func (r LoggableHTTPRequest) MarshalLogObject(enc zapcore.ObjectEncoder) error { } // LoggableHTTPHeader makes an HTTP header loggable with zap.Object(). +// Headers with potentially sensitive information (Cookie, Authorization, +// and Proxy-Authorization) are logged with empty values. type LoggableHTTPHeader http.Header // MarshalLogObject satisfies the zapcore.ObjectMarshaler interface. @@ -47,6 +50,10 @@ func (h LoggableHTTPHeader) MarshalLogObject(enc zapcore.ObjectEncoder) error { return nil } for key, val := range h { + switch strings.ToLower(key) { + case "cookie", "authorization", "proxy-authorization": + val = []string{} + } enc.AddArray(key, LoggableStringArray(val)) } return nil @@ -75,8 +82,6 @@ func (t LoggableTLSConnState) MarshalLogObject(enc zapcore.ObjectEncoder) error enc.AddUint16("version", t.Version) enc.AddUint16("cipher_suite", t.CipherSuite) enc.AddString("proto", t.NegotiatedProtocol) - // NegotiatedProtocolIsMutual is deprecated - it's always true - enc.AddBool("proto_mutual", true) enc.AddString("server_name", t.ServerName) if len(t.PeerCertificates) > 0 { enc.AddString("client_common_name", t.PeerCertificates[0].Subject.CommonName)