Redact tokens, etc. in url parameters from request logs (jupyter-server#1212)

minrk · web-flow · commit 968c56c8c69a · 2023-02-15T08:13:30.000-06:00
replaces `?token=abc123` with `?token=[secret]` in logs
diff --git a/jupyter_server/log.py b/jupyter_server/log.py
@@ -6,12 +6,39 @@
 #  the file LICENSE, distributed as part of this software.
 # -----------------------------------------------------------------------------
 import json
+from urllib.parse import urlparse, urlunparse
 
 from tornado.log import access_log
 
 from .auth import User
 from .prometheus.log_functions import prometheus_log_method
 
+# url params to be scrubbed if seen
+# any url param that *contains* one of these
+# will be scrubbed from logs
+_SCRUB_PARAM_KEYS = {"token", "auth", "key", "code", "state", "xsrf"}
+
+
+def _scrub_uri(uri: str) -> str:
+    """scrub auth info from uri"""
+    parsed = urlparse(uri)
+    if parsed.query:
+        # check for potentially sensitive url params
+        # use manual list + split rather than parsing
+        # to minimally perturb original
+        parts = parsed.query.split("&")
+        changed = False
+        for i, s in enumerate(parts):
+            key, sep, value = s.partition("=")
+            for substring in _SCRUB_PARAM_KEYS:
+                if substring in key:
+                    parts[i] = f"{key}{sep}[secret]"
+                    changed = True
+        if changed:
+            parsed = parsed._replace(query="&".join(parts))
+            return urlunparse(parsed)
+    return uri
+
 
 def log_request(handler):
     """log a bit more information about each request than tornado's default
@@ -43,7 +70,7 @@ def log_request(handler):
         "status": status,
         "method": request.method,
         "ip": request.remote_ip,
-        "uri": request.uri,
+        "uri": _scrub_uri(request.uri),
         "request_time": request_time,
     }
     # log username
@@ -59,7 +86,7 @@ def log_request(handler):
     msg = "{status} {method} {uri} ({username}@{ip}) {request_time:.2f}ms"
     if status >= 400:  # noqa[PLR2004]
         # log bad referers
-        ns["referer"] = request.headers.get("Referer", "None")
+        ns["referer"] = _scrub_uri(request.headers.get("Referer", "None"))
         msg = msg + " referer={referer}"
     if status >= 500 and status != 502:  # noqa[PLR2004]
         # Log a subset of the headers if it caused an error.
