fix: harden login for MLPS requirements
This commit is contained in:
@@ -1,6 +1,9 @@
|
||||
package middleware
|
||||
|
||||
import (
|
||||
"net/url"
|
||||
"regexp"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/gin-gonic/gin"
|
||||
@@ -27,7 +30,7 @@ func Logger(logger *zap.Logger) gin.HandlerFunc {
|
||||
fields = append(fields, zap.String("route", route))
|
||||
}
|
||||
if rawQuery := c.Request.URL.RawQuery; rawQuery != "" {
|
||||
fields = append(fields, zap.String("query", rawQuery))
|
||||
fields = append(fields, zap.String("query", redactRawQuery(rawQuery)))
|
||||
}
|
||||
if userAgent := c.Request.UserAgent(); userAgent != "" {
|
||||
fields = append(fields, zap.String("user_agent", userAgent))
|
||||
@@ -86,3 +89,29 @@ func Logger(logger *zap.Logger) gin.HandlerFunc {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
var sensitiveQueryKeyPattern = regexp.MustCompile(`(?i)(password|passwd|pwd|token|secret|authorization|credential|session|cookie|key|signature|sig)`)
|
||||
|
||||
func redactRawQuery(raw string) string {
|
||||
values, err := url.ParseQuery(raw)
|
||||
if err != nil {
|
||||
return redactQueryFallback(raw)
|
||||
}
|
||||
for key := range values {
|
||||
if sensitiveQueryKeyPattern.MatchString(key) {
|
||||
values[key] = []string{"[REDACTED]"}
|
||||
}
|
||||
}
|
||||
return values.Encode()
|
||||
}
|
||||
|
||||
func redactQueryFallback(raw string) string {
|
||||
parts := strings.Split(raw, "&")
|
||||
for i, part := range parts {
|
||||
key, _, ok := strings.Cut(part, "=")
|
||||
if ok && sensitiveQueryKeyPattern.MatchString(key) {
|
||||
parts[i] = key + "=[REDACTED]"
|
||||
}
|
||||
}
|
||||
return strings.Join(parts, "&")
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user