Skip to content

Commit

Permalink
fix: redact passwords in logs
Browse files Browse the repository at this point in the history
Fixes #238

Replaces URLs of the format `rtsp://user:password@localhost:8554` with
`rtsp://user:xxxxx@localhost:8554` in logs. This is best-effort for now
and does not handle cases where passwords appear in query strings. It
should be fairly easy to extend the `RedactPassword` function in the
future in case there are other common password pattern that are worth
handling.
  • Loading branch information
martinohmann committed Jun 21, 2024
1 parent a4885c2 commit a3f82bd
Show file tree
Hide file tree
Showing 5 changed files with 34 additions and 10 deletions.
2 changes: 1 addition & 1 deletion internal/expr/expr.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ func Init() {
return "", err
}

log.Debug().Msgf("[expr] url=%s", url)
log.Debug().Msgf("[expr] url=%s", streams.RedactPassword(url[5:]))

if url = v.(string); url == "" {
return "", errors.New("expr: result is empty")
Expand Down
8 changes: 8 additions & 0 deletions internal/streams/helpers.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,11 @@ func ParseQuery(s string) url.Values {
}
return params
}

func RedactPassword(s string) string {
if u, err := url.Parse(s); err == nil {
return u.Redacted()
}

return s
}
14 changes: 14 additions & 0 deletions internal/streams/helpers_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
package streams

import (
"testing"

"github.com/stretchr/testify/require"
)

func TestRedactPassword(t *testing.T) {
require.Equal(t, "not_a_url", RedactPassword("not_a_url"))
require.Equal(t, "rtsp://localhost:8554", RedactPassword("rtsp://localhost:8554"))
require.Equal(t, "rtsp://user:xxxxx@localhost:8554", RedactPassword("rtsp://user:password@localhost:8554"))
require.Equal(t, "rtsp://:xxxxx@localhost:8554", RedactPassword("rtsp://:password@localhost:8554"))
}
10 changes: 5 additions & 5 deletions internal/streams/producer.go
Original file line number Diff line number Diff line change
Expand Up @@ -149,7 +149,7 @@ func (p *Producer) start() {
return
}

log.Debug().Msgf("[streams] start producer url=%s", p.url)
log.Debug().Msgf("[streams] start producer url=%s", RedactPassword(p.url))

p.state = stateStart
p.workerID++
Expand All @@ -167,7 +167,7 @@ func (p *Producer) worker(conn core.Producer, workerID int) {
return
}

log.Warn().Err(err).Str("url", p.url).Caller().Send()
log.Warn().Err(err).Str("url", RedactPassword(p.url)).Caller().Send()
}

p.reconnect(workerID, 0)
Expand All @@ -178,11 +178,11 @@ func (p *Producer) reconnect(workerID, retry int) {
defer p.mu.Unlock()

if p.workerID != workerID {
log.Trace().Msgf("[streams] stop reconnect url=%s", p.url)
log.Trace().Msgf("[streams] stop reconnect url=%s", RedactPassword(p.url))
return
}

log.Debug().Msgf("[streams] retry=%d to url=%s", retry, p.url)
log.Debug().Msgf("[streams] retry=%d to url=%s", retry, RedactPassword(p.url))

conn, err := GetProducer(p.url)
if err != nil {
Expand Down Expand Up @@ -257,7 +257,7 @@ func (p *Producer) stop() {
p.workerID++
}

log.Debug().Msgf("[streams] stop producer url=%s", p.url)
log.Debug().Msgf("[streams] stop producer url=%s", RedactPassword(p.url))

if p.conn != nil {
_ = p.conn.Stop()
Expand Down
10 changes: 6 additions & 4 deletions internal/streams/streams.go
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ func GetOrPatch(query url.Values) *Stream {

// check if name param provided
if name := query.Get("name"); name != "" {
log.Info().Msgf("[streams] create new stream url=%s", source)
log.Info().Msgf("[streams] create new stream url=%s", RedactPassword(source))

return Patch(name, source)
}
Expand All @@ -143,6 +143,8 @@ func Delete(id string) {
delete(streams, id)
}

var log zerolog.Logger
var streams = map[string]*Stream{}
var streamsMu sync.Mutex
var (
log zerolog.Logger
streams = map[string]*Stream{}
streamsMu sync.Mutex
)

0 comments on commit a3f82bd

Please sign in to comment.