Fix Sensitive Header Censorship in Log

- Add censoring of sensitive headers from being logged in _proxy() - Fix issue where Cookie and X-XSRF-TOKEN were not censored as intended Change-Id: I14b422a25b40d0014c05226f9ae4fe8be75e33fb
2020-09-25 14:35:38 -07:00 · 2020-09-25 14:35:38 -07:00 · 6b34416026
commit 6b34416026
parent bcb3210760
2 changed files with 6 additions and 2 deletions
--- a/vmware_nsxlib/v3/cluster.py
+++ b/vmware_nsxlib/v3/cluster.py
@ -762,9 +762,13 @@ class ClusteredAPI(object):
                        kwargs['headers'] = kwargs.get('headers', {})
                        kwargs['headers'].update(conn.default_headers)
                    if not self._silent:
+                        # To censor sensitive headers before logging
+                        kwargs_copy = copy.copy(kwargs)
+                        kwargs_copy['headers'] = utils.censor_headers(
+                            kwargs_copy['headers'])
                        LOG.debug("API cluster proxy %s %s to %s with %s. "
                                  "Waited conn: %2.4f, rate: %2.4f",
-                                  proxy_for.upper(), uri, url, kwargs,
+                                  proxy_for.upper(), uri, url, kwargs_copy,
                                  conn_data.conn_wait, conn_data.rate_wait)

                    # call the actual connection method to do the
--- a/vmware_nsxlib/v3/utils.py
+++ b/vmware_nsxlib/v3/utils.py
@ -64,7 +64,7 @@ def set_inject_headers_callback(callback):


 def censor_headers(headers):
-    censored_headers = ['authorization', 'X-XSRF-TOKEN', 'Cookie']
+    censored_headers = ['authorization', 'x-xsrf-token', 'cookie']
    result = {}
    for name, value in headers.items():
        if name.lower() in censored_headers: