Don't include username or password of proxy env vars when logging them. (#9022)

2025-11-02 19:47:54 +00:00 · 2020-05-19 10:07:46 -04:00
parent 321b9c9455
commit e52f34772a
1 changed files with 27 additions and 7 deletions
--- a/command/server.go
+++ b/command/server.go
@@ -445,9 +445,7 @@ func (c *ServerCommand) runRecoveryMode() int {
 		vault.DefaultMaxRequestDuration = config.DefaultMaxRequestDuration
 	}
-	proxyCfg := httpproxy.FromEnvironment()
+	logProxyEnvironmentVariables(c.logger)
 	c.logger.Info("proxy environment", "http_proxy", proxyCfg.HTTPProxy,
 		"https_proxy", proxyCfg.HTTPSProxy, "no_proxy", proxyCfg.NoProxy)
 	// Initialize the storage backend
 	factory, exists := c.PhysicalBackends[config.Storage.Type]
@@ -684,6 +682,31 @@ func (c *ServerCommand) runRecoveryMode() int {
 	return 0
 }
 func logProxyEnvironmentVariables(logger hclog.Logger) {
 	proxyCfg := httpproxy.FromEnvironment()
 	cfgMap := map[string]string{
 		"http_proxy":  proxyCfg.HTTPProxy,
 		"https_proxy": proxyCfg.HTTPSProxy,
 		"no_proxy":    proxyCfg.NoProxy,
 	}
 	for k, v := range cfgMap {
 		u, err := url.Parse(v)
 		if err != nil {
 			// Env vars may contain URLs or host:port values.  We only care
 			// about the former.
 			continue
 		}
 		if _, ok := u.User.Password(); ok {
 			u.User = url.UserPassword("redacted-username", "redacted-password")
 		} else if user := u.User.Username(); user != "" {
 			u.User = url.User("redacted-username")
 		}
 		cfgMap[k] = u.String()
 	}
 	logger.Info("proxy environment", "http_proxy", cfgMap["http_proxy"],
 		"https_proxy", cfgMap["https_proxy"], "no_proxy", cfgMap["no_proxy"])
 }
 func (c *ServerCommand) adjustLogLevel(config *server.Config, logLevelWasNotSet bool) (string, error) {
 	var logLevelString string
 	if config.LogLevel != "" && logLevelWasNotSet {
@@ -894,10 +917,7 @@ func (c *ServerCommand) Run(args []string) int {
 		vault.DefaultMaxRequestDuration = config.DefaultMaxRequestDuration
 	}
-	// log proxy settings
+	logProxyEnvironmentVariables(c.logger)
 	proxyCfg := httpproxy.FromEnvironment()
 	c.logger.Info("proxy environment", "http_proxy", proxyCfg.HTTPProxy,
 		"https_proxy", proxyCfg.HTTPSProxy, "no_proxy", proxyCfg.NoProxy)
 	// If mlockall(2) isn't supported, show a warning. We disable this in dev
 	// because it is quite scary to see when first using Vault. We also disable