IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Chore: sanitize values before being logged from request headers (#49245)

Browse Source 
* Chore: sanitize values being logged directly from request headers
This commit is contained in:
Ezequiel Victorero
2022-05-23 14:18:33 -03:00
committed by GitHub
parent 51bc1bad1b
commit dfab100dc7
5 changed files with 187 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
pkg/middleware/logger.go
View File

@@ -17,9 +17,11 @@ package middleware
import (
"net/http"
"net/url"
"time"
"github.com/grafana/grafana/pkg/infra/tracing"
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/services/contexthandler"
"github.com/grafana/grafana/pkg/setting"
"github.com/grafana/grafana/pkg/web"
@@ -55,7 +57,7 @@ func Logger(cfg *setting.Cfg) web.Handler {
"time_ms", int64(timeTaken),
"duration", duration,
"size", rw.Size(),
"referer", req.Referer(),
"referer", sanitizeURL(ctx, req.Referer()),
}
traceID := tracing.TraceIDFromContext(ctx.Req.Context(), false)
@@ -71,3 +73,16 @@ func Logger(cfg *setting.Cfg) web.Handler {
}
}
}
func sanitizeURL(ctx *models.ReqContext, s string) string {
if s == "" {
return s
}
u, err := url.ParseRequestURI(s)
if err != nil {
ctx.Logger.Warn("Received invalid referer in request headers, removed for log forgery prevention")
return ""
}
return u.String()
}