fix: harden login for MLPS requirements
This commit is contained in:
@@ -105,3 +105,36 @@ func TestLoggerUsesForwardedClientIPFromTrustedProxy(t *testing.T) {
|
||||
require.Equal(t, http.StatusOK, resp.Code)
|
||||
require.Contains(t, logBuffer.String(), `"client_ip":"106.14.89.27"`)
|
||||
}
|
||||
|
||||
func TestLoggerRedactsSensitiveQueryValues(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
gin.SetMode(gin.TestMode)
|
||||
|
||||
var logBuffer bytes.Buffer
|
||||
encoderConfig := zap.NewProductionEncoderConfig()
|
||||
encoderConfig.TimeKey = ""
|
||||
logger := zap.New(zapcore.NewCore(
|
||||
zapcore.NewJSONEncoder(encoderConfig),
|
||||
zapcore.AddSync(&logBuffer),
|
||||
zapcore.DebugLevel,
|
||||
))
|
||||
|
||||
router := gin.New()
|
||||
router.Use(RequestID())
|
||||
router.Use(Logger(logger))
|
||||
router.GET("/test", func(c *gin.Context) {
|
||||
c.Status(http.StatusOK)
|
||||
})
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/test?password=secret&tab=cards&token=abc", nil)
|
||||
resp := httptest.NewRecorder()
|
||||
|
||||
router.ServeHTTP(resp, req)
|
||||
|
||||
require.Equal(t, http.StatusOK, resp.Code)
|
||||
logLine := logBuffer.String()
|
||||
require.Contains(t, logLine, `"query":"password=%5BREDACTED%5D&tab=cards&token=%5BREDACTED%5D"`)
|
||||
require.NotContains(t, logLine, "secret")
|
||||
require.NotContains(t, logLine, "token=abc")
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user