Masking of api tokens

Question

Masking of api tokens

mkaydev opened this issue 8 years ago · 5 comments

I just noticed that the SurveyGizmo::Logger is passed as logger to the connection, too. It logs requested urls (info level).

If the api token or api token secret contain special characters that need percent-encoding, the regular expression which masks the tokens from log message will not match.

I verified that the tokens can contain such characters and that they would appear unmasked (and percent encoded) in the logs.

Answer 1 · 2016-12-08T11:00:25.000Z

can you give an example of such a token (obviously don't post your actual token)? All my SG tokens have been alphanumeric so far; haven't see a special character ever.

Answer 2 · 2016-12-08T12:20:16.000Z

Any token, that contains a special character from the RFC 3986 reserved character list, e.g.

api_token = 'king_of_the&whirled$'
api_token_secret = 'dream/word'

If these tokens would be passed as URL parameter, they would be percent encoded as:

api_token=king_of_the%26whirled%24
api_token_secret=dream%2Fword

So far, I got one such token.

In our fork[1] (for supporting multiple configurations) I have now added additional masking calls that match CGI.escape(api_token) and CGI.escape(api_token_secret).

[1] playtestcloud@2032609

Answer 3 · 2016-12-08T19:55:19.000Z

cool; i'll expect this to be resolved by a PR from you

Answer 4 · 2016-12-08T21:23:35.000Z

I scoped your branch for a second. Please put this commit playtestcloud@f0ec422 on its own pull request because otherwise it will be impossible to review your changes.

Answer 5 · 2016-12-08T22:08:49.000Z

Yup, that's what I thought. As you suspected, the changes for multiple configurations were extensive.

I created a separate branch fresh from master and made the change in a way that is compatible with the master of the original repository.

#91