diff --git a/ebpftracer/l7/http.go b/ebpftracer/l7/http.go index 14141b29..01a8a4a6 100644 --- a/ebpftracer/l7/http.go +++ b/ebpftracer/l7/http.go @@ -71,7 +71,7 @@ func ParseHTTPRequest(data []byte) (*http.Request, error) { sensitiveHeaders := make(map[string]bool) sensitiveKeysList := strings.Split(*flags.SensitiveHeader, ",") for _, key := range sensitiveKeysList { - sensitiveHeaders[strings.TrimSpace(key)] = true + sensitiveHeaders[strings.ToLower(strings.TrimSpace(key))] = true } for _, line := range headerLines { part1, part2, ok := bytes.Cut(line, []byte(":")) @@ -84,7 +84,7 @@ func ParseHTTPRequest(data []byte) (*http.Request, error) { key := strings.TrimSpace(string(part1)) val := strings.TrimSpace(string(part2)) - if sensitiveHeaders[key] { + if sensitiveHeaders[strings.ToLower(key)] { val = SanitizeString(val) } header.Add(key, val) @@ -143,10 +143,8 @@ func ConvertHeadersToString(headers http.Header) string { func SanitizeString(value string) string { if !*flags.SanitizeHeaders { + return value } - if len(value) <= 10 { - return strings.Repeat("*", len(value)) - } - return strings.Repeat("*", 10) + value[10:] + return strings.Repeat("*", len(value)) } diff --git a/ebpftracer/l7/l7_test.go b/ebpftracer/l7/l7_test.go index 6bb809c9..ef3ee60c 100644 --- a/ebpftracer/l7/l7_test.go +++ b/ebpftracer/l7/l7_test.go @@ -6,6 +6,7 @@ import ( "io" "testing" + "github.com/coroot/coroot-node-agent/flags" "github.com/stretchr/testify/assert" "go.mongodb.org/mongo-driver/bson" ) @@ -91,12 +92,18 @@ func TestParseMongo(t *testing.T) { } func TestParseHost(t *testing.T) { - requestString := "HEAD /1 HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/8.0.1\r\nAccept: */*\r\n\r\nxzxxxxxxzx" + SanitizeHeaders := "Authorization, cookie" + f := true + flags.SensitiveHeader = &SanitizeHeaders + flags.SanitizeHeaders = &f + requestString := "HEAD /1 HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/8.0.1\r\nAuthorization: abcd\r\nCookie: abcd\r\nAccept: */*\r\n\r\nxzxxxxxxzx" req, err := ParseHTTPRequest([]byte(requestString)) assert.Nil(t, nil, err) assert.Equal(t, "/1", req.URL.Path) assert.Equal(t, "127.0.0.1", req.Host) assert.Equal(t, "HEAD", req.Method) + assert.Equal(t, "****", req.Header.Get("Authorization")) + assert.Equal(t, "****", req.Header.Get("Cookie")) body, err := io.ReadAll(req.Body) assert.Nil(t, nil, err) assert.Equal(t, "xzxxxxxxzx", string(body)) diff --git a/flags/flags.go b/flags/flags.go index ddfdb6d1..2cff3464 100644 --- a/flags/flags.go +++ b/flags/flags.go @@ -36,7 +36,7 @@ var ( ResolveDns = kingpin.Flag("resolve-dns", "should resolve DNS").Default("true").Envar("RESOLVE_DNS").Bool() IgnoreControlPlane = kingpin.Flag("ignore-control-plane", "ignore control plane like loki").Default("karpenter,loki,prometheus,grafana,kubelet,etcd,apiserver,victoria").Envar("IGNORE_CONTROL_PLANE").String() SanitizeHeaders = kingpin.Flag("sanitize-headers", "should sanitize headers").Default("true").Envar("SANITIZE_HEADERS").Bool() - SensitiveHeader = kingpin.Flag("sensitive-headers", "sanitize headers using patterns").Default("Authorization, Cookie").Envar("SENSITIVE_HEADERS").String() + SensitiveHeader = kingpin.Flag("sensitive-headers", "sanitize headers using patterns").Default("Authorization, Cookie, X-Action-Token").Envar("SENSITIVE_HEADERS").String() ) func GetString(fl *string) string { diff --git a/tracing/tracing.go b/tracing/tracing.go index e0dcc153..dac1ca5b 100644 --- a/tracing/tracing.go +++ b/tracing/tracing.go @@ -122,6 +122,7 @@ func (t *Trace) HttpRequest(method, path string, status l7.Status, duration time attribute.Key("http.request_payload").String(payload), attribute.Key("http.headers").String(headers), attribute.Key("http.response").String(response), + attribute.Key("http.path").String(path), ) }