fix(router): stop logging secrets in ext_proc request logs#197
fix(router): stop logging secrets in ext_proc request logs#197Kyosuke Konishi (konippi) wants to merge 2 commits into
Conversation
|
The ext_proc changes look ok. If you split that into its own PR, I can review and merge that. |
Kyosuke Konishi (konippi)
force-pushed
the
fix/stop-logging-secrets
branch
from
faa8032 to
1730ccb
Compare
Kyosuke Konishi (konippi)
changed the title
|
Bowei Du (@bowei) The other two pieces are split out:
|
| headersMap[k] = val | ||
| if k == ":path" { | ||
| path = val | ||
| path, _, _ = strings.Cut(val, "?") |
There was a problem hiding this comment.
Do you want to use url.Parse to avoid potential edge cases?
There was a problem hiding this comment.
I tried both. For :path, cutting at the first ? removes exactly the query, which is the secret vector here.
url.Parse doesn't improve that for this use and adds downsides:
- It errors on e.g. control chars, so it needs a fallback — and a fallback that logs the raw value would leak the query.
strings.Cutis total, so there's no error path that can fall through to logging the secret. - It reinterprets
//host/pathas authority and silently drops it.
Given that, my inclination would be to keep strings.Cut — but I'm very open to using url.Parse if you'd prefer. Let me know what you think.
There was a problem hiding this comment.
Actually, do we need this change?
I think interpreting the path: coming from Envoy would add some additional non-obvious semantics to this code. If we maintain that we pass the Envoy argument through unchanged, this will be much simpler to explain how this works.
There was a problem hiding this comment.
Is there a security issue that you are trying to fix?
There was a problem hiding this comment.
Yes — the :path query string can carry secrets (tokens, OAuth codes, etc.; CWE-598), and m.path gets persisted into the statusz QueryRecorder, which is served unauthenticated. That's the leak I'm closing.
You're right that the parser shouldn't reinterpret :path. I've reverted newRequestMetadata to pass Envoy's :path through verbatim and moved the query-stripping to the sink (redactPath in AddRouterRequest) — same "redact at the sink" approach as sanitizeForLog.
Bowei Du (bowei)
left a comment
Bowei Du (bowei)
left a comment
There was a problem hiding this comment.
One comment on the path change. Otherwise looks ok
Kyosuke Konishi (konippi)
force-pushed
the
fix/stop-logging-secrets
branch
from
1730ccb to
f35e75f
Compare
2 participants
Part of #103.
Stops the router (ext_proc) request path from writing secrets to logs.
This PR was prepared in part with the assistance of generative AI.