Merge pull request #10851 from JimMoen/fix-bad-api-logging

fix: redact api request to hide auth token

apps/emqx_dashboard/src/emqx_dashboard_bad_api.erl

@@ -21,11 +21,12 @@
 -export([init/2]).
 
 init(Req0, State) ->
-    ?SLOG(warning, #{msg => "unexpected_api_access", request => Req0}),
+    RedactedReq = emqx_utils:redact(Req0),
+    ?SLOG(warning, #{msg => "unexpected_api_access", request => RedactedReq}),
     Req = cowboy_req:reply(
         404,
         #{<<"content-type">> => <<"application/json">>},
         <<"{\"code\": \"API_NOT_EXIST\", \"message\": \"Request Path Not Found\"}">>,
-        Req0
+        RedactedReq
     ),
     {ok, Req, State}.

apps/emqx_utils/src/emqx_utils.app.src

@@ -2,7 +2,7 @@
 {application, emqx_utils, [
     {description, "Miscellaneous utilities for EMQX apps"},
     % strict semver, bump manually!
-    {vsn, "5.0.1"},
+    {vsn, "5.0.2"},
     {modules, [
         emqx_utils,
         emqx_utils_api,

apps/emqx_utils/src/emqx_utils.erl

@@ -575,6 +575,9 @@ try_to_existing_atom(Convert, Data, Encoding) ->
 is_sensitive_key(token) -> true;
 is_sensitive_key("token") -> true;
 is_sensitive_key(<<"token">>) -> true;
+is_sensitive_key(authorization) -> true;
+is_sensitive_key("authorization") -> true;
+is_sensitive_key(<<"authorization">>) -> true;
 is_sensitive_key(password) -> true;
 is_sensitive_key("password") -> true;
 is_sensitive_key(<<"password">>) -> true;

changes/ce/fix-10851.en.md

@@ -0,0 +1 @@
+Obfuscated sensitive data in the bad API logging.