Redact sensitive headers

ktorio · Dec 24, 2024 · acf10cf · acf10cf
1 parent 4ef4897
commit acf10cf
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 3 deletions.
diff --git a/...r-client-plugins/ktor-client-logging/common/src/io/ktor/client/plugins/logging/Logging.kt b/...r-client-plugins/ktor-client-logging/common/src/io/ktor/client/plugins/logging/Logging.kt
@@ -171,7 +171,11 @@ public val Logging: ClientPlugin<LoggingConfig> = createClientPlugin("Logging",
         }
 
         for ((name, values) in headers.entries()) {
-            logger.log("$name: ${values.joinToString(separator = ", ")}")
+            if (sanitizedHeaders.find { sh -> sh.predicate(name) } == null) {
+                logger.log("$name: ${values.joinToString(separator = ", ")}")
+            } else {
+                logger.log("$name: ██")
+            }
         }
 
         if (!isBody() || request.method == HttpMethod.Get) {
@@ -203,7 +207,7 @@ public val Logging: ClientPlugin<LoggingConfig> = createClientPlugin("Logging",
     suspend fun logResponseStdFormat(response: HttpResponse): HttpResponse {
         if (isNone()) return response
 
-        var contentLength = response.headers[HttpHeaders.ContentLength]?.toLongOrNull()
+        val contentLength = response.headers[HttpHeaders.ContentLength]?.toLongOrNull()
         val request = response.request
         val duration = response.responseTime.timestamp - response.requestTime.timestamp
 
@@ -226,7 +230,11 @@ public val Logging: ClientPlugin<LoggingConfig> = createClientPlugin("Logging",
         }
 
         for ((name, values) in response.headers.entries()) {
-            logger.log("$name: ${values.joinToString(separator = ", ")}")
+            if (sanitizedHeaders.find { sh -> sh.predicate(name) } == null) {
+                logger.log("$name: ${values.joinToString(separator = ", ")}")
+            } else {
+                logger.log("$name: ██")
+            }
         }
 
         if (!isBody()) {

diff --git a/...ient-plugins/ktor-client-logging/jvm/test/io/ktor/client/plugins/logging/NewFormatTest.kt b/...ient-plugins/ktor-client-logging/jvm/test/io/ktor/client/plugins/logging/NewFormatTest.kt
@@ -757,6 +757,46 @@ class NewFormatTest {
             .assertNoMoreLogs()
     }
 
+    @Test
+    fun headersAreRedacted() = runTest {
+        HttpClient(MockEngine) {
+            install(Logging) {
+                level = LogLevel.HEADERS
+                logger = log
+                standardFormat = true
+                sanitizeHeader { it == "SeNsItIvE" }
+            }
+
+            engine {
+                addHandler {
+                    respondWithLength("", headers = Headers.build {
+                        append("SeNsItIvE", "value")
+                        append("Not-Sensitive", "value")
+                    })
+                }
+            }
+        }.use { client ->
+            client.get("/") {
+                header("SeNsItIvE", "value")
+                header("Not-Sensitive", "value")
+            }
+            log.assertLogEqual("--> GET /")
+                .assertLogEqual("SeNsItIvE: ██")
+                .assertLogEqual("Not-Sensitive: value")
+                .assertLogEqual("Accept-Charset: UTF-8")
+                .assertLogEqual("Accept: */*")
+                .assertLogEqual("--> END GET")
+                .assertLogMatch(Regex("""<-- 200 OK / \(\d+ms\)"""))
+                .assertLogEqual("SeNsItIvE: ██")
+                .assertLogEqual("Not-Sensitive: value")
+                .assertLogEqual("Content-Length: 0")
+                .assertLogEqual("Content-Type: text/plain")
+                .assertLogEqual("<-- END HTTP")
+                .assertNoMoreLogs()
+
+        }
+    }
+
     private fun MockRequestHandleScope.respondWithLength(): HttpResponseData {
         return respond("", headers = Headers.build {
             append("Content-Length", "0")