oras icon indicating copy to clipboard operation
oras copied to clipboard
verified publisher icon oras-project

--debug should redact Location headers

Open ktarplee opened this issue 1 year ago • 3 comments

What happened in your environment?

Oras already redacts Set-Cookie and Authorization. It looks like Cookie is not done because no Cookie is ever set in a request (but might be good to redact it anyway).

The location header (when the registry is backed by S3 and not proxying) will include signed URLs. So you want to redact the query string of the Location header.

What did you expect to happen?

Not see the query string parameters in the location header's URL

How can we reproduce it?

Run oras with --debug against a registry that is backed by S3 without proxying. Harbor is what I tested.

What is the version of your ORAS CLI?

main

What is your OS environment?

Ubuntu 22.04

Are you willing to submit PRs to fix it?

  • [ ] Yes, I am willing to fix it.

ktarplee avatar Jan 26 '24 16:01 ktarplee

If the location header is set in a redirected HTTP response (e.g. 307), the query will still be output in the next request URL. If ORAS redact the location header, corresponding request URL also need to be redacted.

qweeah avatar Jan 29 '24 02:01 qweeah

I wish HTTP has a header that listed the sensitive parts of a request/response. Something like

Confidential: header:location
Confidential: body
Confidential: queryparam=token

ktarplee avatar Mar 07 '24 10:03 ktarplee

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

github-actions[bot] avatar May 07 '24 01:05 github-actions[bot]

This issue was closed because it has been stalled for 30 days with no activity.

github-actions[bot] avatar Jun 06 '24 01:06 github-actions[bot]