do not extract endpoint from path for 404s (#1069)

This can lead to a large set of endpoints for things like security scans. Logs should be used to track down those paths.
Netflix · Aug 2, 2023 · 2b2e651 · 2b2e651
1 parent 7953113
commit 2b2e651
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/spectator-ext-ipc/src/main/java/com/netflix/spectator/ipc/IpcLogEntry.java b/spectator-ext-ipc/src/main/java/com/netflix/spectator/ipc/IpcLogEntry.java
@@ -639,7 +639,7 @@ private IpcAttemptFinal getAttemptFinal() {
 
   private String getEndpoint() {
     return (endpoint == null)
-        ? (path == null) ? "unknown" : PathSanitizer.sanitize(path)
+        ? (path == null || httpStatus == 404) ? "unknown" : PathSanitizer.sanitize(path)
         : endpoint;
   }
 

diff --git a/spectator-ext-ipc/src/test/java/com/netflix/spectator/ipc/IpcLogEntryTest.java b/spectator-ext-ipc/src/test/java/com/netflix/spectator/ipc/IpcLogEntryTest.java
@@ -225,6 +225,17 @@ public void endpointViaUri() {
     Assertions.assertEquals("_api_v1_-", actual);
   }
 
+  @Test
+  public void endpointViaUri404() {
+    String path = "/api/v1/1234567890";
+    String actual = (String) entry
+        .withUri(URI.create(path))
+        .withHttpStatus(404)
+        .convert(this::toMap)
+        .get("endpoint");
+    Assertions.assertEquals("unknown", actual);
+  }
+
   @Test
   public void clientNode() {
     String expected = "i-12345";