mask secret also when they are url encoded (#2289)

Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com>
2025-10-30 23:57:50 +02:00 · 2020-11-02 10:08:34 +01:00
parent ff7204fcdf
commit ea5e91672d
2 changed files with 27 additions and 1 deletions
--- a/pkg/log/log.go
+++ b/pkg/log/log.go
@@ -3,6 +3,7 @@ package log
 import (
 	"fmt"
 	"io"
+	"net/url"
 	"strings"

 	"github.com/sirupsen/logrus"
@@ -110,8 +111,13 @@ func RegisterHook(hook logrus.Hook) {
 	logrus.AddHook(hook)
 }

+// RegisterSecret registers a value which should be masked in every log message
 func RegisterSecret(secret string) {
 	if len(secret) > 0 {
 		secrets = append(secrets, secret)
+		encoded := url.QueryEscape(secret)
+		if secret != encoded {
+			secrets = append(secrets, encoded)
+		}
 	}
 }
--- a/pkg/log/log_test.go
+++ b/pkg/log/log_test.go
@@ -2,8 +2,10 @@ package log

 import (
 	"bytes"
-	"github.com/stretchr/testify/assert"
+	"net/url"
 	"testing"
+
+	"github.com/stretchr/testify/assert"
 )

 func TestSecrets(t *testing.T) {
@@ -23,6 +25,24 @@ func TestSecrets(t *testing.T) {
 		Entry().Infof("My secret is %s.", secret)
 		assert.NotContains(t, buffer.String(), secret)
 	})
+
+	t.Run("should log url encoded", func(t *testing.T) {
+		secret := "secret-token!0"
+		encodedSecret := url.QueryEscape(secret)
+
+		outWriter := Entry().Logger.Out
+		var buffer bytes.Buffer
+		Entry().Logger.SetOutput(&buffer)
+		defer func() { Entry().Logger.SetOutput(outWriter) }()
+
+		Entry().Infof("My secret is %s.", secret)
+		assert.Contains(t, buffer.String(), secret)
+
+		buffer.Reset()
+		RegisterSecret(secret)
+		Entry().Infof("My secret is %s.", encodedSecret)
+		assert.NotContains(t, buffer.String(), encodedSecret)
+	})
 }

 func TestWriteLargeBuffer(t *testing.T) {