Redact authentication header when throwing S3 errors.

The authentication header contains the access key (not the secret key) so don't include it in errors that can be seen at any log level. Suggested by Brad Nicholson.
2025-01-30 05:39:12 +02:00 · 2018-12-05 12:51:13 -05:00 · 2018-12-05 12:51:13 -05:00 · bf873be4aa
commit bf873be4aa
parent cc6447356e
3 changed files with 19 additions and 2 deletions
--- a/doc/xml/release.xml
+++ b/doc/xml/release.xml
@ -32,6 +32,16 @@
                    </release-item>
                </release-bug-list>

+                <release-improvement-list>
+                    <release-item>
+                        <release-item-contributor-list>
+                            <release-item-ideator id="brad.nicholson"/>
+                        </release-item-contributor-list>
+
+                        <p>Redact <id>authentication</id> header when throwing <proper>S3</proper> errors.</p>
+                    </release-item>
+                </release-improvement-list>
+
                <release-development-list>
                    <release-item>
                        <p>Enable S3 storage and encryption for <cmd>archive-get</cmd> command in C.</p>
--- a/lib/pgBackRest/Storage/S3/Request.pm
+++ b/lib/pgBackRest/Storage/S3/Request.pm
@ -232,10 +232,14 @@ sub request
                {
                    my $rstrResponseBody = $oHttpClient->responseBody();

+                    # Redact authorization header because it contains the access key
+                    my $strRequestHeader = $oHttpClient->requestHeaderText();
+                    $strRequestHeader =~ s/^${\S3_HEADER_AUTHORIZATION}:.*$/${\S3_HEADER_AUTHORIZATION}: <redacted>/mg;
+
                    confess &log(ERROR,
                        'S3 request error' . ($iRetryTotal > 0 ? " after " . (S3_RETRY_MAX + 1) . " tries" : '') .
                            " [$iResponseCode] " . $oHttpClient->responseMessage() .
-                            "\n*** request header ***\n" . $oHttpClient->requestHeaderText() .
+                            "\n*** request header ***\n${strRequestHeader}" .
                            ($iResponseCode == S3_RESPONSE_CODE_ERROR_AUTH ?
                                "\n*** canonical request ***\n" . $strCanonicalRequest .
                                "\n*** signed headers ***\n" . $strSignedHeaders .
--- a/src/perl/embed.auto.c
+++ b/src/perl/embed.auto.c
@ -21627,11 +21627,14 @@ static const EmbeddedModule embeddedModule[] =
            "if (!$bRetry)\n"
            "{\n"
            "my $rstrResponseBody = $oHttpClient->responseBody();\n"
+            "\n\n"
+            "my $strRequestHeader = $oHttpClient->requestHeaderText();\n"
+            "$strRequestHeader =~ s/^${\\S3_HEADER_AUTHORIZATION}:.*$/${\\S3_HEADER_AUTHORIZATION}: <redacted>/mg;\n"
            "\n"
            "confess &log(ERROR,\n"
            "'S3 request error' . ($iRetryTotal > 0 ? \" after \" . (S3_RETRY_MAX + 1) . \" tries\" : '') .\n"
            "\" [$iResponseCode] \" . $oHttpClient->responseMessage() .\n"
-            "\"\\n*** request header ***\\n\" . $oHttpClient->requestHeaderText() .\n"
+            "\"\\n*** request header ***\\n${strRequestHeader}\" .\n"
            "($iResponseCode == S3_RESPONSE_CODE_ERROR_AUTH ?\n"
            "\"\\n*** canonical request ***\\n\" . $strCanonicalRequest .\n"
            "\"\\n*** signed headers ***\\n\" . $strSignedHeaders .\n"