Merge pull request #12635 from lafirest/fix/r551

fix(http): fix that sensitive headers may be printed in log when querying

apps/emqx_bridge_http/src/emqx_bridge_http_connector.erl

@@ -861,9 +861,9 @@ redact(Data) ->
 %% and we also can't know the body format and where the sensitive data will be
 %% so the easy way to keep data security is redacted the whole body
 redact_request({Path, Headers}) ->
-    {Path, redact(Headers)};
+    {Path, emqx_utils_redact:redact_headers(Headers)};
 redact_request({Path, Headers, _Body}) ->
-    {Path, redact(Headers), <<"******">>}.
+    {Path, emqx_utils_redact:redact_headers(Headers), <<"******">>}.
 
 clientid(Msg) -> maps:get(clientid, Msg, undefined).
 

apps/emqx_utils/src/emqx_utils_redact.erl

@@ -16,7 +16,7 @@
 
 -module(emqx_utils_redact).
 
--export([redact/1, redact/2, is_redacted/2, is_redacted/3]).
+-export([redact/1, redact/2, redact_headers/1, is_redacted/2, is_redacted/3]).
 -export([deobfuscate/2]).
 
 -define(REDACT_VAL, "******").
@@ -62,6 +62,9 @@ redact(Term, Checker) ->
         is_sensitive_key(V) orelse Checker(V)
     end).
 
+redact_headers(Term) ->
+    do_redact_headers(Term).
+
 do_redact(L, Checker) when is_list(L) ->
     lists:map(fun(E) -> do_redact(E, Checker) end, L);
 do_redact(M, Checker) when is_map(M) ->
@@ -128,7 +131,7 @@ do_redact_headers(Value) ->
     Value.
 
 check_is_sensitive_header(Key) ->
-    Key1 = emqx_utils_conv:str(Key),
+    Key1 = string:trim(emqx_utils_conv:str(Key)),
     is_sensitive_header(string:lowercase(Key1)).
 
 is_sensitive_header("authorization") ->