Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Redact URL Parameters / Headers from Audit Logging #3949

Closed
stephen-crawford opened this issue Jan 16, 2024 · 2 comments
Closed

[FEATURE] Redact URL Parameters / Headers from Audit Logging #3949

stephen-crawford opened this issue Jan 16, 2024 · 2 comments
Assignees
@cwperks
Labels
documentation For code documentation/ javadocs/ comments / readme etc.. triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.

Comments

@stephen-crawford
Copy link
Contributor

Is your feature request related to a problem?
Previously, #3885 added a new field to allow users to redact custom headers from audit logging. This allows users to specify which HTTP headers they want to ignore and can be useful when using the customization options for various authentication backends.

In the same vain, it would be helpful if there was way to redact request info from audit logging when the JWT URL parameter feature was being used since this can expose the same type of information. Specifically, the audit logging feature has no way to remove the URL parameter from the audit logging info leading to the token being recorded.

What solution would you like?
Ideally, the audit logging logic would be changed to redact the url parameter and its content from the logs. This would mean that instead of recording the entire request URL in the audit logging it would record only the parts of the path which do not correspond to the passed token.

What alternatives have you considered?
Another alternative is simply to update the documentation to let users know that it is not recommended to log the HTTP paths when using the custom url parameter heading.
@stephen-crawford stephen-crawford added enhancement New feature or request untriaged Require the attention of the repository maintainers and may need to be prioritized labels Jan 16, 2024
@peternied peternied removed the untriaged Require the attention of the repository maintainers and may need to be prioritized label Jan 17, 2024
@peternied peternied changed the title [FEATURE] Redact JWT URL Parameters from Audit Loggin [FEATURE] Redact JWT URL Parameters from Audit Logging Jan 18, 2024
@peternied peternied changed the title [FEATURE] Redact JWT URL Parameters from Audit Logging [FEATURE] Redact URL Parameters / Headers from Audit Logging Jan 18, 2024
@stephen-crawford
Copy link
Contributor Author

[Triage] Going to mark this as triaged with the closure criteria being a documentation change which addresses the risk of audit logging the URLs with the customized URL parameters for tokens.

@stephen-crawford stephen-crawford added documentation For code documentation/ javadocs/ comments / readme etc.. triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. and removed enhancement New feature or request labels Jan 22, 2024
This was referenced Jan 23, 2024
Merged
Closed
@cwperks cwperks mentioned this issue Feb 22, 2024
Merged
3 tasks
@cwperks cwperks self-assigned this Feb 23, 2024
@cwperks
Copy link
Member

cwperks commented Feb 23, 2024

Closing this issue as #4067 has been merged.

@cwperks cwperks closed this as completed Feb 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cwperks cwperks

Labels
documentation For code documentation/ javadocs/ comments / readme etc.. triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@peternied @cwperks @stephen-crawford