Skip to content

Commit 68bb566

Browse files
Redact CPK headers in log output. (#2127)
Currently, azcopy will emit the following headers to log files, when using Customer Provided Keys: x-ms-encryption-key x-ms-encryption-key-sha256 I believe this is unexpected for some users. This patch redacts those headers from log files, such that encryption keys do not accidentally leak. Co-authored-by: Mikkel Krautz <mk@intertisement.com>
1 parent 1e36cf3 commit 68bb566

File tree

1 file changed

+13
-1
lines changed

1 file changed

+13
-1
lines changed

ste/xferLogPolicy.go

+13-1
Original file line numberDiff line numberDiff line change
@@ -254,7 +254,7 @@ func prepareRequestForServiceLogging(request pipeline.Request) *http.Request {
254254
// contains header x-ms-copy-source which could contains secrets for authentication.
255255
// Prepare the headers for logging, with redact secrets in x-ms-copy-source header.
256256
if exist, key := doesHeaderExistCaseInsensitive(req.Header, xMsCopySourceHeader); exist {
257-
req = request.Copy()
257+
req = req.Copy()
258258
url, err := url.Parse(req.Header.Get(key))
259259
if err == nil {
260260
rawQuery := url.RawQuery
@@ -267,10 +267,22 @@ func prepareRequestForServiceLogging(request pipeline.Request) *http.Request {
267267
}
268268
}
269269
}
270+
// Redact headers that have to do with CPK keys.
271+
if exist, key := doesHeaderExistCaseInsensitive(req.Header, xMsEncryptionKey); exist {
272+
req = req.Copy()
273+
req.Header.Set(key, "REDACTED")
274+
}
275+
if exist, key := doesHeaderExistCaseInsensitive(req.Header, xMsEncryptionKeySha256); exist {
276+
req = req.Copy()
277+
req.Header.Set(key, "REDACTED")
278+
}
279+
270280
return req.Request
271281
}
272282

273283
const xMsCopySourceHeader = "x-ms-copy-source"
284+
const xMsEncryptionKey = "x-ms-encryption-key"
285+
const xMsEncryptionKeySha256 = "x-ms-encryption-key-sha256"
274286

275287
func doesHeaderExistCaseInsensitive(header http.Header, key string) (bool, string) {
276288
for keyInHeader := range header {

0 commit comments

Comments
 (0)