chore: resolve security findings (#1282)

#### What this PR does / why we need it #### Which issue(s) this PR fixes  #1281
open-component-model · Feb 5, 2025 · 9327e42 · 9327e42
1 parent d1c40af
commit 9327e42
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 19 deletions.
diff --git a/api/credentials/internal/consumers.go b/api/credentials/internal/consumers.go
@@ -117,7 +117,7 @@ func (c *_consumer) GetCredentials() CredentialsSource {
 	return c.credentials
 }
 
-////////////////////////////////////////////////////////////////////////////////
+// //////////////////////////////////////////////////////////////////////////////
 
 type consumerPrio struct {
 	ConsumerProvider
@@ -135,7 +135,7 @@ func WithPriority(p ConsumerProvider, prio int) ConsumerProvider {
 	}
 }
 
-////////////////////////////////////////////////////////////////////////////////
+// //////////////////////////////////////////////////////////////////////////////
 
 type PriorityProvider interface {
 	GetPriority() int
@@ -244,13 +244,13 @@ func (p *consumerProviderRegistry) catchedMatch(ectx EvaluationContext, sub Cons
 		cs = nil
 		ci = cur
 	}, exception.ByPrototypes(&UnwindStack{}))
-	log.Trace("pattern: {{pattern}}\ncontext: {{context}}\nprovider: {{provider}}",
-		"pattern", pattern, "context", ectx, "provider", sub)
+	log.Trace("pattern: {{pattern}}\ncontext: {{context}}",
+		"pattern", pattern, "context", ectx)
 	ectx, useprov, _ := p.checkHandleProvider(ectx, sub, pattern)
 	if !useprov {
 		return nil, cur
 	}
-	log.Trace("attempt match with provider: {{provider}}", "provider", sub)
+	log.Trace("attempt match with provider")
 	return sub.Match(ectx, pattern, cur, m)
 }
 

diff --git a/api/utils/logging/roundtripper.go b/api/utils/logging/roundtripper.go
@@ -20,17 +20,9 @@ type RoundTripper struct {
 }
 
 func (t *RoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
-	// Redact the Authorization header to make sure it doesn't get logged at any point.
-	header := req.Header
-	if key := "Authorization"; req.Header.Get(key) != "" {
-		header = header.Clone()
-		header.Set(key, "***")
-	}
-
 	t.logger.Trace("roundtrip",
 		"url", req.URL,
 		"method", req.Method,
-		"header", header,
 	)
 	return t.RoundTripper.RoundTrip(req)
 }
diff --git a/api/utils/logging/roundtripper_test.go b/api/utils/logging/roundtripper_test.go
@@ -34,7 +34,7 @@ var _ = Describe("RoundTripper", func() {
 		}
 	})
 
-	It("redacts Authorization header", func() {
+	It("does not log header information", func() {
 		r := logcfg.ConditionalRule("trace")
 		cfg := &logcfg.Config{
 			Rules: []logcfg.Rule{r},
@@ -51,15 +51,14 @@ var _ = Describe("RoundTripper", func() {
 		req, err := http.NewRequest("GET", server.URL, nil)
 		Expect(err).NotTo(HaveOccurred())
 		req.Header.Set("Authorization", "this should be redacted")
+		req.Header.Set("Cookie", "my secret session token")
+		req.Header.Set("MyArbitraryHeader", "some secret information")
 
 		_, err = client.Do(req)
 		Expect(err).NotTo(HaveOccurred())
 
-		Expect(buf.String()).To(ContainSubstring("roundtrip"))
-		Expect(buf.String()).To(ContainSubstring("url"))
-		Expect(buf.String()).To(ContainSubstring("method"))
-		Expect(buf.String()).To(ContainSubstring("header"))
-		Expect(buf.String()).To(ContainSubstring("***"))
 		Expect(buf.String()).NotTo(ContainSubstring("this should be redacted"))
+		Expect(buf.String()).NotTo(ContainSubstring("my secret session token"))
+		Expect(buf.String()).NotTo(ContainSubstring("some secret information"))
 	})
 })