This repository has been archived by the owner on Sep 30, 2024. It is now read-only.
security: redact unrecognized auth HTTP headers from logs #46112
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When the Authentication middleware stumbled across a HTTP Header set to `Authorization: [name value]` and `name` is not one of the recognized Sourcegraph ones (i.e "token" or "sudo-token"), the logs were printing that value in clear. While it's a rather limited concern as the logs are only accessible to ops and the use of custom authentication tokens are not a very frequent, it's still not okay to log them in clear. The present code instead logs a md5sum in place of the value, allowing to still link back to the value we're expecting if we're debugging. If the hashing fails for any reason, the value is simply set to "[REDACTED]". It is to be noted, that there are legitimate cases where can have unrecognized Authorization headers, and we should not log in those cases. As this would require to parse the current config, which requires more work, I decided for keeping this PR simple and focused on the security concern first.
jhchabran
added
security
burmudar
approved these changes
Jan 4, 2023
sanderginn
reviewed
Jan 4, 2023
There was a problem hiding this comment.
[ frontend] WARN external.accessTokenAuth httpapi/auth.go:58 ignoring unrecognized Authorization header {"redacted_value": "md5sum:f3dce97acd1145b1274d05117a3847da", "error": "unrecognized HTTP Authorization request header scheme (supported values: \"token\", \"token-sudo\")"}
Perhaps it would be slightly more informative to include the unrecognized scheme in the log message? E.g. in this case Bearer?
marekweb
approved these changes
Jan 4, 2023
andreeleuterio
approved these changes
Jan 4, 2023
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
TL;DR The Authentication middleware currently logs custom authorization headers in clear.
When the Authentication middleware stumbled across a HTTP Header set to
Authorization: [name value]andnameis not one of the recognized Sourcegraph ones (i.e "token" or "sudo-token"), the logs were printing that value in clear.While it's a rather limited concern as the logs are only accessible to ops and the use of custom authentication tokens are not a very frequent, it's still not okay to log them in clear.
The present code instead logs a md5sum in place of the value, allowing to still link back to the value we're expecting if we're debugging. If the hashing fails for any reason, the value is simply set to "[REDACTED]".
It is to be noted, that there are legitimate cases where can have unrecognized Authorization headers, and we should not log in those cases. As this would require to parse the current config, which requires more work, I decided for keeping this PR simple and focused on the security concern first.
Test plan
Locally tested. Because the authorization header clashes with the one I'm testing my code with, I reproduced the customer setup with this addition to the site-config:
And used the following
cURL:Which then logs:
As expected.