resty New createCurlCmd feature leaks secrets in log when tracing is enabled

New createCurlCmd feature leaks secrets in log when tracing is enabled

Open nagius opened this issue 6 months ago • 1 comments

The new curl log output introduced by #794 will leak secrets when tracing is enabled. See output example:

==============================================================================
~~~ REQUEST(curl) ~~~
CURL:
    curl -X PUT -H 'Accept: application/json' -H 'Authorization: Basic ZGVtbzpwQDU1dzByZA==' -H 'Content-Type: application/json' https://myserver.com/api/endpoint
~~~ REQUEST ~~~
PUT  /api/endpoint  HTTP/1.1
HOST   : myserver.com
HEADERS:
    Accept: application/json
    Authorization: [REDACTED]
    Content-Type: application/json
    User-Agent: go-resty/2.14.0 (https://github.com/go-resty/resty) 
BODY   :
------------------------------------------------------------------------------

For the remaining of the tracing output, it's possible to set a callback with OnRequestLog() than will filter out sensitive data like password or tokens from the log output. (See REDACTED output in the above example). This do not affect the generated curl output.

This generated Curl output is interesting but only in some usecases. Can we add a flag to disable that feature in the trace output ? Or better, a flag to explicitly enable it (like EnableTraceWithCurl(), with a warning in the docs as this can leak secrets.

Aug 27 '24 15:08 nagius

resty resty copied to clipboard

New createCurlCmd feature leaks secrets in log when tracing is enabled

resty
resty copied to clipboard