[#489] Sanitize log records that may contain user input

Signed-off-by: Alex Vanin <alexey@nspcc.ru>
2022-06-02 15:09:00 +03:00 · 2022-06-02 15:09:00 +03:00 · 12d9eb62cb
commit 12d9eb62cb
parent 2ca4dbb190
5 changed files with 22 additions and 9 deletions
--- a/api/handler/util.go
+++ b/api/handler/util.go
@ -10,15 +10,16 @@ import (
 	"github.com/nspcc-dev/neofs-s3-gw/api/data"
 	"github.com/nspcc-dev/neofs-s3-gw/api/errors"
 	"github.com/nspcc-dev/neofs-s3-gw/api/layer"
+	"github.com/nspcc-dev/neofs-s3-gw/internal/misc"
 	"github.com/nspcc-dev/neofs-sdk-go/session"
 	"go.uber.org/zap"
 )

 func (h *handler) logAndSendError(w http.ResponseWriter, logText string, reqInfo *api.ReqInfo, err error, additional ...zap.Field) {
-	fields := []zap.Field{zap.String("request_id", reqInfo.RequestID),
-		zap.String("method", reqInfo.API),
-		zap.String("bucket_name", reqInfo.BucketName),
-		zap.String("object_name", reqInfo.ObjectName),
+	fields := []zap.Field{zap.String("request_id", misc.SanitizeString(reqInfo.RequestID)),
+		zap.String("method", misc.SanitizeString(reqInfo.API)),
+		zap.String("bucket_name", misc.SanitizeString(reqInfo.BucketName)),
+		zap.String("object_name", misc.SanitizeString(reqInfo.ObjectName)),
 		zap.Error(err)}
 	fields = append(fields, additional...)