Overzealous sensitive value masking in HTTP request/response logs
ewbankkit opened this issue ยท 0 comments
ewbankkit commented
Community Note
- Please vote on this issue by adding a ๐ reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Following the changes to HTTP request/response log sensitive value masking in #523, much useful information is being unnecessarily obfuscated. For example
http.response.body=
| <?xml version="1.0" encoding="UTF-8"?>
| <Desc***************onse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
| <requestId>76a4520c-aafc-4486-8224-92e4776ae280</requestId>
| <subnetSet>
| <item>
| <subnetId>subnet-0ae3*********6b23</subnetId>
| <subnetArn>arn:aws:ec2:us-west-2:123456789012:subnet/subnet-0ae3*********6b23</subnetArn>
| <state>available</state>
| <ownerId>123456789012</ownerId>
| <vpcId>vpc-0034*********0c03</vpcId>
| <cidrBlock>10.0.2.0/24</cidrBlock>
| <ipv6********************Set/>
| <avai***************ount>251</ava****************ount>
| <avai********Zone>us-west-2d</ava*********Zone>
| <avai**********neId>usw2-az4</ava***********neId>
| <defaultForAz>false</defaultForAz>
| <mapP***********unch>true</map************unch>
| <tagSet>
| <item>
| <key>Name</key>
| <value>tf-acc-test-2706***********8325</value>
| </item>
| </tagSet>
| <assi*******************tion>false</ass********************tion>
| <mapC******************unch>false</map*******************unch>
| <priv*********************unch>
| <hostnameType>ip-name</hostnameType>
| <enab********************cord>false</ena*********************cord>
| <enab***********************cord>false</ena************************cord>
| </pri**********************unch>
| <ipv6Native>false</ipv6Native>
| <enableDns64>false</enableDns64>
| </item>
| </subnetSet>
| </Des****************onse>
If the intention is to mask just AWS access key IDs and secret access keys then we can use the patterns described here.