feat: scrub Set-Cookie header in debug logs (#1190)

Signed-off-by: Billy Zha <[email protected]>
oras-project · Dec 6, 2023 · 304c9c6 · 304c9c6
1 parent 4647a14
commit 304c9c6
Showing 1 changed file with 15 additions and 5 deletions.
diff --git a/internal/trace/transport.go b/internal/trace/transport.go
@@ -22,9 +22,17 @@ import (
 	"sync/atomic"
 )
 
-// requestCount records the number of logged request-response pairs and will
-// be used as the unique id for the next pair.
-var requestCount uint64
+var (
+	// requestCount records the number of logged request-response pairs and will
+	// be used as the unique id for the next pair.
+	requestCount uint64
+
+	// toScrub is a set of headers that should be scrubbed from the log.
+	toScrub = []string{
+		"Authorization",
+		"Set-Cookie",
+	}
+)
 
 // Transport is an http.RoundTripper that keeps track of the in-flight
 // request and add hooks to report HTTP tracing events.
@@ -68,8 +76,10 @@ func logHeader(header http.Header) string {
 	if len(header) > 0 {
 		headers := []string{}
 		for k, v := range header {
-			if strings.EqualFold(k, "Authorization") {
-				v = []string{"*****"}
+			for _, h := range toScrub {
+				if strings.EqualFold(k, h) {
+					v = []string{"*****"}
+				}
 			}
 			headers = append(headers, fmt.Sprintf("   %q: %q", k, strings.Join(v, ", ")))
 		}