Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New createCurlCmd feature leaks secrets in log when tracing is enabled #828

Closed
nagius opened this issue Aug 27, 2024 · 2 comments · Fixed by #842
Closed

New createCurlCmd feature leaks secrets in log when tracing is enabled #828

nagius opened this issue Aug 27, 2024 · 2 comments · Fixed by #842
Assignees
Milestone

Comments

@nagius
Copy link

nagius commented Aug 27, 2024

The new curl log output introduced by #794 will leak secrets when tracing is enabled. See output example:

==============================================================================
~~~ REQUEST(curl) ~~~
CURL:
    curl -X PUT -H 'Accept: application/json' -H 'Authorization: Basic ZGVtbzpwQDU1dzByZA==' -H 'Content-Type: application/json' https://myserver.com/api/endpoint
~~~ REQUEST ~~~
PUT  /api/endpoint  HTTP/1.1
HOST   : myserver.com
HEADERS:
    Accept: application/json
    Authorization: [REDACTED]
    Content-Type: application/json
    User-Agent: go-resty/2.14.0 (https://github.com/go-resty/resty) 
BODY   :
------------------------------------------------------------------------------

For the remaining of the tracing output, it's possible to set a callback with OnRequestLog() than will filter out sensitive data like password or tokens from the log output. (See REDACTED output in the above example). This do not affect the generated curl output.

This generated Curl output is interesting but only in some usecases. Can we add a flag to disable that feature in the trace output ?
Or better, a flag to explicitly enable it (like EnableTraceWithCurl(), with a warning in the docs as this can leak secrets.

@jeevatkm
Copy link
Member

@nagius Thanks for reporting it.

I agree that adding the method EnableTraceWithCurl() would help. Plus, adding details about leak secrets in the godoc.

@jeevatkm
Copy link
Member

jeevatkm commented Sep 2, 2024

While implementing, I decided to change the method name as follows on the Client and Request instances -

  • EnableGenerateCurlOnDebug()
  • DisableGenerateCurlOnDebug()

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment