From 12d9eb62cbe0b7034c2b820ceee1e13686b66e6a Mon Sep 17 00:00:00 2001 From: Alex Vanin Date: Thu, 2 Jun 2022 15:09:00 +0300 Subject: [PATCH] [#489] Sanitize log records that may contain user input Signed-off-by: Alex Vanin --- api/handler/util.go | 9 +++++---- api/layer/multipart_upload.go | 5 +++-- api/layer/object.go | 3 ++- api/layer/system_object.go | 5 +++-- internal/misc/sanitizer.go | 9 +++++++++ 5 files changed, 22 insertions(+), 9 deletions(-) create mode 100644 internal/misc/sanitizer.go diff --git a/api/handler/util.go b/api/handler/util.go index 6d069dd..04f9d57 100644 --- a/api/handler/util.go +++ b/api/handler/util.go @@ -10,15 +10,16 @@ import ( "github.com/nspcc-dev/neofs-s3-gw/api/data" "github.com/nspcc-dev/neofs-s3-gw/api/errors" "github.com/nspcc-dev/neofs-s3-gw/api/layer" + "github.com/nspcc-dev/neofs-s3-gw/internal/misc" "github.com/nspcc-dev/neofs-sdk-go/session" "go.uber.org/zap" ) func (h *handler) logAndSendError(w http.ResponseWriter, logText string, reqInfo *api.ReqInfo, err error, additional ...zap.Field) { - fields := []zap.Field{zap.String("request_id", reqInfo.RequestID), - zap.String("method", reqInfo.API), - zap.String("bucket_name", reqInfo.BucketName), - zap.String("object_name", reqInfo.ObjectName), + fields := []zap.Field{zap.String("request_id", misc.SanitizeString(reqInfo.RequestID)), + zap.String("method", misc.SanitizeString(reqInfo.API)), + zap.String("bucket_name", misc.SanitizeString(reqInfo.BucketName)), + zap.String("object_name", misc.SanitizeString(reqInfo.ObjectName)), zap.Error(err)} fields = append(fields, additional...) diff --git a/api/layer/multipart_upload.go b/api/layer/multipart_upload.go index ef664f4..c77990b 100644 --- a/api/layer/multipart_upload.go +++ b/api/layer/multipart_upload.go @@ -13,6 +13,7 @@ import ( "github.com/nspcc-dev/neofs-s3-gw/api" "github.com/nspcc-dev/neofs-s3-gw/api/data" "github.com/nspcc-dev/neofs-s3-gw/api/errors" + "github.com/nspcc-dev/neofs-s3-gw/internal/misc" "github.com/nspcc-dev/neofs-sdk-go/object" "github.com/nspcc-dev/neofs-sdk-go/user" "go.uber.org/zap" @@ -256,7 +257,7 @@ func (n *layer) CompleteMultipartUpload(ctx context.Context, p *CompleteMultipar if _, ok := objects[0]; !ok { n.log.Error("could not get init multipart upload", zap.Stringer("bucket id", p.Info.Bkt.CID), - zap.String("uploadID", p.Info.UploadID), + zap.String("uploadID", misc.SanitizeString(p.Info.UploadID)), zap.String("uploadKey", p.Info.Key), ) // we return InternalError because if we are here it means we've checked InitPart in handler before and @@ -316,7 +317,7 @@ func (n *layer) CompleteMultipartUpload(ctx context.Context, p *CompleteMultipar }) if err != nil { n.log.Error("could not put a completed object (multipart upload)", - zap.String("uploadID", p.Info.UploadID), + zap.String("uploadID", misc.SanitizeString(p.Info.UploadID)), zap.String("uploadKey", p.Info.Key), zap.Error(err)) diff --git a/api/layer/object.go b/api/layer/object.go index e397a08..8a2da36 100644 --- a/api/layer/object.go +++ b/api/layer/object.go @@ -16,6 +16,7 @@ import ( "github.com/nspcc-dev/neofs-s3-gw/api/data" apiErrors "github.com/nspcc-dev/neofs-s3-gw/api/errors" "github.com/nspcc-dev/neofs-s3-gw/api/layer/neofs" + "github.com/nspcc-dev/neofs-s3-gw/internal/misc" "github.com/nspcc-dev/neofs-sdk-go/client" cid "github.com/nspcc-dev/neofs-sdk-go/container/id" "github.com/nspcc-dev/neofs-sdk-go/object" @@ -206,7 +207,7 @@ func (n *layer) PutObject(ctx context.Context, p *PutObjectParams) (*data.Object if err != nil { n.log.Warn("couldn't get creation epoch", zap.String("bucket", p.BktInfo.Name), - zap.String("object", p.Object), + zap.String("object", misc.SanitizeString(p.Object)), zap.Error(err)) } diff --git a/api/layer/system_object.go b/api/layer/system_object.go index 998f89a..4ed501a 100644 --- a/api/layer/system_object.go +++ b/api/layer/system_object.go @@ -13,6 +13,7 @@ import ( "github.com/nspcc-dev/neofs-s3-gw/api/data" "github.com/nspcc-dev/neofs-s3-gw/api/errors" "github.com/nspcc-dev/neofs-s3-gw/api/layer/neofs" + "github.com/nspcc-dev/neofs-s3-gw/internal/misc" "github.com/nspcc-dev/neofs-sdk-go/object" oid "github.com/nspcc-dev/neofs-sdk-go/object/id" "go.uber.org/zap" @@ -127,7 +128,7 @@ func (n *layer) putSystemObjectIntoNeoFS(ctx context.Context, p *PutSystemObject if err != nil { n.log.Warn("couldn't get creation epoch", zap.String("bucket", p.BktInfo.Name), - zap.String("object", p.ObjName), + zap.String("object", misc.SanitizeString(p.ObjName)), zap.Error(err)) } @@ -135,7 +136,7 @@ func (n *layer) putSystemObjectIntoNeoFS(ctx context.Context, p *PutSystemObject if err = n.objectDelete(ctx, p.BktInfo.CID, id); err != nil { n.log.Warn("couldn't delete system object", zap.Stringer("version id", id), - zap.String("name", p.ObjName), + zap.String("name", misc.SanitizeString(p.ObjName)), zap.Error(err)) } } diff --git a/internal/misc/sanitizer.go b/internal/misc/sanitizer.go new file mode 100644 index 0000000..ea2e7f5 --- /dev/null +++ b/internal/misc/sanitizer.go @@ -0,0 +1,9 @@ +package misc + +import "strings" + +// SanitizeString sanitizes string before using it in logs. Required +// for data from the user input: request body, headers, etc. +func SanitizeString(s string) string { + return strings.Replace(s, "\n", "", -1) +}