From dbfcbfae07ad041f3c93c4ae918c0ad1d5860092 Mon Sep 17 00:00:00 2001 From: Yusuf Bera Ertan Date: Fri, 21 Apr 2023 22:34:44 +0300 Subject: [PATCH] dont log secrets in logs --- Cargo.toml | 2 +- src/handler.rs | 79 ++++++++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 74 insertions(+), 7 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 02d2e7e..6fb47c0 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -10,7 +10,7 @@ tokio = {version = "1", features = ["rt-multi-thread"]} dotenvy = "0.15" tracing = "0.1" tracing-subscriber = {version = "0.3", features = ["env-filter"]} -tower-http = {version = "0.4", features = ["trace", "cors"]} +tower-http = {version = "0.4", features = ["trace", "cors", "sensitive-headers"]} hyper = {version = "0.14", features = ["client"]} http = "0.2" async-tungstenite = {version = "0.21", features = ["tokio-runtime"]} diff --git a/src/handler.rs b/src/handler.rs index f8da7ba..6c85d84 100644 --- a/src/handler.rs +++ b/src/handler.rs @@ -1,4 +1,4 @@ -use std::net::SocketAddr; +use std::{fmt::Display, net::SocketAddr}; use super::AppError; use async_tungstenite::{ @@ -28,8 +28,7 @@ use serde::{Deserialize, Serialize}; use serde_json::Value; use tokio::net::TcpStream; use tower_http::{ - cors::CorsLayer, - trace::{DefaultMakeSpan, TraceLayer}, + cors::CorsLayer, sensitive_headers::SetSensitiveRequestHeadersLayer, trace::TraceLayer, }; use tracing::{Instrument, Span}; @@ -61,9 +60,76 @@ async fn block_external_ips( } } +struct ComponentDisplay { + left: Left, + right: Right, +} + +impl<'a, 'b> ComponentDisplay<&'a str, &'b str> { + fn is_empty(&self) -> bool { + self.left.is_empty() && self.right.is_empty() + } +} + +impl Display for ComponentDisplay +where + Left: Display, + Right: Display, +{ + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + write!(f, "{}{}", self.left, self.right) + } +} + +fn make_span_trace(req: &Request) -> Span { + let uri_query_filtered = req + .uri() + .query() + .map(|q| { + let token_start = q.find("&token="); + if let Some(pos) = token_start { + let (left, right) = q.split_at(pos); + let (_, right) = right.split_at(pos + 6 + 30); + return ComponentDisplay { left, right }; + } + let token_start = q.find("token="); + if let Some(_) = token_start { + let (_, right) = q.split_at(6 + 30); + return ComponentDisplay { left: "", right }; + } + ComponentDisplay { left: q, right: "" } + }) + .unwrap_or(ComponentDisplay { + left: "", + right: "", + }); + let uri_path = ComponentDisplay { + left: { + if !uri_query_filtered.is_empty() { + ComponentDisplay { + left: req.uri().path(), + right: "?", + } + } else { + ComponentDisplay { + left: req.uri().path(), + right: "", + } + } + }, + right: uri_query_filtered, + }; + tracing::debug_span!( + "request", + method = %req.method(), + uri = %uri_path, + version = ?req.version(), + headers = ?req.headers(), + ) +} + pub(super) async fn handler(state: AppState) -> Result { - let trace_layer = - TraceLayer::new_for_http().make_span_with(DefaultMakeSpan::default().include_headers(true)); + let trace_layer = TraceLayer::new_for_http().make_span_with(make_span_trace); let internal_router = Router::new() .route("/token/generate", get(generate_token)) @@ -71,9 +137,10 @@ pub(super) async fn handler(state: AppState) -> Result { .layer(axum::middleware::from_fn(block_external_ips)); let router = Router::new() - .route("/thumbnails/:id", get(http)) + .route("/thumbnail/:id", get(http)) .route("/audio/id/:id", get(http)) .route("/", get(metadata_ws)) + .layer(SetSensitiveRequestHeadersLayer::new([AUTHORIZATION])) .layer(trace_layer) .layer( CorsLayer::new()