Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't log requests #1370

Merged
merged 4 commits into from
Sep 23, 2018
Merged

Don't log requests #1370

merged 4 commits into from
Sep 23, 2018

Conversation

dustin-decker
Copy link
Contributor

Fixes #1331

HTTP logging leaks sensitive request information.

This PR removes HTTP request logging during panics.

@chainhelen
Copy link
Contributor

@dustin-decker You should ensure make test for passing citest first.

@dustin-decker
Copy link
Contributor Author

@chainhelen Thanks for the notification. Indeed, but I didn't expect there to be a test inspecting the output buffer for a HTTP header!

@codecov
Copy link

codecov bot commented May 26, 2018
edited
Loading

Codecov Report

Merging #1370 into master will increase coverage by <.01%.
The diff coverage is 100%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #1370      +/-   ##
==========================================
+ Coverage   99.06%   99.06%   +<.01%     
==========================================
  Files          39       39              
  Lines        1919     1922       +3     
==========================================
+ Hits         1901     1904       +3     
  Misses         14       14              
  Partials        4        4
Impacted Files Coverage Δ
recovery.go 100% <100%> (ø) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5a75dc7...0e535d8. Read the comment docs.

@AgrimPrasad
Copy link

@dustin-decker @javierprovecho @thinkerou

Could we proceed with this one? We'd also like to prevent sensitive user information from being exposed in gin panic logs on our servers.

If there are any holdups (I see test failing + unresolved conflicts) I would be glad to fix these issues myself if the author is unavailable.

@thinkerou
Copy link
Member

@dustin-decker please fix conflict, thanks!

appleboy
appleboy previously approved these changes Sep 22, 2018
View reviewed changes
@appleboy
Copy link
Member

maybe we can remove the httpdump request data in Release mode and keep the log in debug mode.

@dustin-decker
Copy link
Contributor Author

Thanks for reviewing, @appleboy.
Added printing httpdump request data when debug mode is enabled (and tested it).

appleboy
appleboy approved these changes Sep 23, 2018
View reviewed changes
Copy link
Member

@appleboy appleboy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM @dustin-decker Thanks.

@appleboy
Copy link
Member

@thinkerou Need your approval :)

@appleboy appleboy added this to the 1.4 milestone Sep 23, 2018
@appleboy appleboy merged commit ad53619 into gin-gonic:master Sep 23, 2018
@appleboy appleboy mentioned this pull request Sep 23, 2018
Closed
justinfx pushed a commit to justinfx/gin that referenced this pull request Nov 3, 2018
@dustin-decker @justinfx
Don't log requests (gin-gonic#1370)
5548cc3 
Fixes gin-gonic#1331

HTTP logging leaks sensitive request information.

This PR removes HTTP request logging during panics.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thinkerou thinkerou thinkerou approved these changes

@appleboy appleboy appleboy approved these changes

@javierprovecho javierprovecho Awaiting requested review from javierprovecho

Assignees
No one assigned
Labels
bug enhancement
Projects
None yet
Milestone
1.4
Development

Successfully merging this pull request may close these issues.
5 participants
@dustin-decker @chainhelen @AgrimPrasad @thinkerou @appleboy