db/pgbackrest
1
0
Fork 0
mirror of https://github.com/pgbackrest/pgbackrest.git synced 2025-01-30 05:39:12 +02:00
Code Issues Releases Activity

Redact authentication header when throwing S3 errors.

Browse Source 
The authentication header contains the access key (not the secret key) so don't include it in errors that can be seen at any log level.

Suggested by Brad Nicholson.
This commit is contained in:
David Steele 2018-12-05 12:51:13 -05:00
parent cc6447356e
commit bf873be4aa
3 changed files with 19 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
doc/xml/release.xml
View File

@ -32,6 +32,16 @@
</release-item> </release-item>
</release-bug-list> </release-bug-list>
<release-improvement-list>
<release-item>
<release-item-contributor-list>
<release-item-ideator id="brad.nicholson"/>
</release-item-contributor-list>
<p>Redact <id>authentication</id> header when throwing <proper>S3</proper> errors.</p>
</release-item>
</release-improvement-list>
<release-development-list> <release-development-list>
<release-item> <release-item>
<p>Enable S3 storage and encryption for <cmd>archive-get</cmd> command in C.</p> <p>Enable S3 storage and encryption for <cmd>archive-get</cmd> command in C.</p>

6
lib/pgBackRest/Storage/S3/Request.pm
View File

@ -232,10 +232,14 @@ sub request
{ {
my $rstrResponseBody = $oHttpClient->responseBody(); my $rstrResponseBody = $oHttpClient->responseBody();
# Redact authorization header because it contains the access key
my $strRequestHeader = $oHttpClient->requestHeaderText();
$strRequestHeader =~ s/^${\S3_HEADER_AUTHORIZATION}:.*$/${\S3_HEADER_AUTHORIZATION}: <redacted>/mg;
confess &log(ERROR, confess &log(ERROR,
'S3 request error' . ($iRetryTotal > 0 ? " after " . (S3_RETRY_MAX + 1) . " tries" : '') . 'S3 request error' . ($iRetryTotal > 0 ? " after " . (S3_RETRY_MAX + 1) . " tries" : '') .
" [$iResponseCode] " . $oHttpClient->responseMessage() . " [$iResponseCode] " . $oHttpClient->responseMessage() .
"\n*** request header ***\n" . $oHttpClient->requestHeaderText() . "\n*** request header ***\n${strRequestHeader}" .
($iResponseCode == S3_RESPONSE_CODE_ERROR_AUTH ? ($iResponseCode == S3_RESPONSE_CODE_ERROR_AUTH ?
"\n*** canonical request ***\n" . $strCanonicalRequest . "\n*** canonical request ***\n" . $strCanonicalRequest .
"\n*** signed headers ***\n" . $strSignedHeaders . "\n*** signed headers ***\n" . $strSignedHeaders .

5
src/perl/embed.auto.c
View File

@ -21627,11 +21627,14 @@ static const EmbeddedModule embeddedModule[] =
"if (!$bRetry)\n" "if (!$bRetry)\n"
"{\n" "{\n"
"my $rstrResponseBody = $oHttpClient->responseBody();\n" "my $rstrResponseBody = $oHttpClient->responseBody();\n"
"\n\n"
"my $strRequestHeader = $oHttpClient->requestHeaderText();\n"
"$strRequestHeader =~ s/^${\\S3_HEADER_AUTHORIZATION}:.*$/${\\S3_HEADER_AUTHORIZATION}: <redacted>/mg;\n"
"\n" "\n"
"confess &log(ERROR,\n" "confess &log(ERROR,\n"
"'S3 request error' . ($iRetryTotal > 0 ? \" after \" . (S3_RETRY_MAX + 1) . \" tries\" : '') .\n" "'S3 request error' . ($iRetryTotal > 0 ? \" after \" . (S3_RETRY_MAX + 1) . \" tries\" : '') .\n"
"\" [$iResponseCode] \" . $oHttpClient->responseMessage() .\n" "\" [$iResponseCode] \" . $oHttpClient->responseMessage() .\n"
"\"\\n*** request header ***\\n\" . $oHttpClient->requestHeaderText() .\n" "\"\\n*** request header ***\\n${strRequestHeader}\" .\n"
"($iResponseCode == S3_RESPONSE_CODE_ERROR_AUTH ?\n" "($iResponseCode == S3_RESPONSE_CODE_ERROR_AUTH ?\n"
"\"\\n*** canonical request ***\\n\" . $strCanonicalRequest .\n" "\"\\n*** canonical request ***\\n\" . $strCanonicalRequest .\n"
"\"\\n*** signed headers ***\\n\" . $strSignedHeaders .\n" "\"\\n*** signed headers ***\\n\" . $strSignedHeaders .\n"