fix: harden login for MLPS requirements

This commit is contained in:
2026-05-14 11:05:20 +08:00
parent ecf3ee1ef0
commit 879677516f
39 changed files with 1230 additions and 71 deletions
+30 -1
View File
@@ -1,6 +1,9 @@
package middleware
import (
"net/url"
"regexp"
"strings"
"time"
"github.com/gin-gonic/gin"
@@ -27,7 +30,7 @@ func Logger(logger *zap.Logger) gin.HandlerFunc {
fields = append(fields, zap.String("route", route))
}
if rawQuery := c.Request.URL.RawQuery; rawQuery != "" {
fields = append(fields, zap.String("query", rawQuery))
fields = append(fields, zap.String("query", redactRawQuery(rawQuery)))
}
if userAgent := c.Request.UserAgent(); userAgent != "" {
fields = append(fields, zap.String("user_agent", userAgent))
@@ -86,3 +89,29 @@ func Logger(logger *zap.Logger) gin.HandlerFunc {
}
}
}
var sensitiveQueryKeyPattern = regexp.MustCompile(`(?i)(password|passwd|pwd|token|secret|authorization|credential|session|cookie|key|signature|sig)`)
func redactRawQuery(raw string) string {
values, err := url.ParseQuery(raw)
if err != nil {
return redactQueryFallback(raw)
}
for key := range values {
if sensitiveQueryKeyPattern.MatchString(key) {
values[key] = []string{"[REDACTED]"}
}
}
return values.Encode()
}
func redactQueryFallback(raw string) string {
parts := strings.Split(raw, "&")
for i, part := range parts {
key, _, ok := strings.Cut(part, "=")
if ok && sensitiveQueryKeyPattern.MatchString(key) {
parts[i] = key + "=[REDACTED]"
}
}
return strings.Join(parts, "&")
}