feat: support echo the request and response in mock server #820
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| if proxy.Echo { | ||
| fmt.Println("Original request header:") | ||
| for k, v := range req.Header { | ||
| fmt.Println(k, ":", v) |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
To fix the problem, we should prevent logging sensitive HTTP headers. The best practice is to either omit logging headers entirely, or to redact/obfuscate sensitive header values before logging them. When logging headers, we should maintain a denylist of sensitive header names (e.g., Authorization, Cookie, Set-Cookie, Proxy-Authorization) and mask their values if they're present.
Specifically, in pkg/mock/in_memory.go, within the loop starting at line 183, we should update the logging so that before printing each header, we check if it is sensitive; if so, print its value as <redacted>, else print its actual value. This can be done by a simple helper function that matches header names case-insensitively.
Minimal changes are needed and no functionality should be lost (other than leaking secrets). We'll define the sensitive headers list in this code region and use it for redaction.
| @@ -181,7 +181,11 @@ | ||
| if proxy.Echo { | ||
| fmt.Println("Original request header:") | ||
| for k, v := range req.Header { | ||
| fmt.Println(k, ":", v) | ||
| if isSensitiveHeader(k) { | ||
| fmt.Println(k, ":", "<redacted>") | ||
| } else { | ||
| fmt.Println(k, ":", v) | ||
| } | ||
| } | ||
| fmt.Println("Original request path:", req.URL) | ||
| fmt.Println("Original request payload:") | ||
| @@ -226,6 +230,27 @@ | ||
| }) | ||
| } | ||
|
|
||
| // isSensitiveHeader returns true if the HTTP header name is considered sensitive. | ||
| func isSensitiveHeader(headerName string) bool { | ||
| // List of common sensitive headers | ||
| sensitive := []string{ | ||
| "Authorization", | ||
| "Cookie", | ||
| "Set-Cookie", | ||
| "Proxy-Authorization", | ||
| "X-Api-Key", | ||
| "X-Auth-Token", | ||
| "X-Csrf-Token", | ||
| } | ||
| normalized := strings.ToLower(headerName) | ||
| for _, h := range sensitive { | ||
| if normalized == strings.ToLower(h) { | ||
| return true | ||
| } | ||
| } | ||
| return false | ||
| } | ||
|
|
||
| func (s *inMemoryServer) tcpProxy(proxy *Proxy) { | ||
| fmt.Println("start to proxy", proxy.Port) | ||
| lisener, err := net.Listen("tcp", fmt.Sprintf(":%d", proxy.Port)) |
|
There are 1 test cases, failed count 0:
Reported by api-testing. |
Coverage summary from CodacySee diff coverage on Codacy
Coverage variation details
Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: Diff coverage details
Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: See your quality gate settings Change summary preferences |
| } | ||
| fmt.Println("Original request path:", req.URL) | ||
| fmt.Println("Original request payload:") | ||
| fmt.Println(string(requestBody)) |
Check notice
Code scanning / SonarCloud
Logging should not be vulnerable to injection attacks Low
|
What type of PR is this?
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #