From 7ffcde362e7eeebb75ab64b04c91d0de853a73b2 Mon Sep 17 00:00:00 2001
From: Jeffrey Sica <jsica@umich.edu>
Date: Thu, 26 Jul 2018 11:32:42 -0400
Subject: [PATCH] hide request info for sensitive urls

---
 src/app/backend/handler/apihandler_test.go | 33 +++++++++++++++-------
 src/app/backend/handler/filter.go          | 11 ++++++++
 2 files changed, 34 insertions(+), 10 deletions(-)

diff --git a/src/app/backend/handler/apihandler_test.go b/src/app/backend/handler/apihandler_test.go
index 9a427075bfe7..abcf917b2d61 100644
--- a/src/app/backend/handler/apihandler_test.go
+++ b/src/app/backend/handler/apihandler_test.go
@@ -103,25 +103,38 @@ func TestMapUrlToResource(t *testing.T) {
 }
 
 func TestFormatRequestLog(t *testing.T) {
-	req, err := http.NewRequest("PUT", "/api/v1/pod", bytes.NewReader([]byte("{}")))
-	if err != nil {
-		t.Error("Cannot mockup request")
-	}
 	cases := []struct {
-		request  *restful.Request
+		method   string
+		uri      string
+		content  *bytes.Reader
 		expected string
 	}{
 		{
-			&restful.Request{
-				Request: req,
-			},
+			"PUT",
+			"/api/v1/pod",
+			bytes.NewReader([]byte("{}")),
 			"Incoming HTTP/1.1 PUT /api/v1/pod request",
 		},
+		{
+			"POST",
+			"/api/v1/login",
+			bytes.NewReader([]byte("{}")),
+			"Incoming HTTP/1.1 POST /api/v1/login request from : { contents hidden }",
+		},
 	}
+
 	for _, c := range cases {
-		actual := formatRequestLog(c.request)
+		req, err := http.NewRequest(c.method, c.uri, c.content)
+		if err != nil {
+			t.Error("Cannot mockup request")
+		}
+
+		var restfulRequest restful.Request
+		restfulRequest.Request = req
+
+		actual := formatRequestLog(&restfulRequest)
 		if !strings.Contains(actual, c.expected) {
-			t.Errorf("formatRequestLog(%#v) returns %#v, expected to contain %#v", c.request, actual, c.expected)
+			t.Errorf("formatRequestLog(%#v) returns %#v, expected to contain %#v", req, actual, c.expected)
 		}
 	}
 }
diff --git a/src/app/backend/handler/filter.go b/src/app/backend/handler/filter.go
index 691e67e030d4..9baa824b726a 100644
--- a/src/app/backend/handler/filter.go
+++ b/src/app/backend/handler/filter.go
@@ -67,6 +67,7 @@ func formatRequestLog(request *restful.Request) string {
 	}
 
 	content := "{}"
+
 	entity := make(map[string]interface{})
 	request.ReadEntity(&entity)
 	if len(entity) > 0 {
@@ -76,6 +77,16 @@ func formatRequestLog(request *restful.Request) string {
 		}
 	}
 
+	// Great now let's filter out any content from sensitive URLs
+	var sensitive_urls [2]string
+	sensitive_urls[0] = "/api/v1/login"
+	sensitive_urls[1] = "/api/v1/csrftoken/login"
+	for _, a := range sensitive_urls {
+		if a == uri {
+			content = "{ contents hidden }"
+		}
+	}
+
 	return fmt.Sprintf(RequestLogString, time.Now().Format(time.RFC3339), request.Request.Proto,
 		request.Request.Method, uri, request.Request.RemoteAddr, content)
 }