lib/httpserver: mask authKey at PostFrom

'authKey' is well-known url and form param for VictoriaMetrics components authorization. Previously, it could be printed into stdout via httpserver error logger. It makes this authKey insecure and hard to use. This commit prevents from logging authKey defined at PostForm or as part of url.Query. It's recommneded to transfer authKey via PostForm and it should be implemented at separate PRs. Related issue: https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5973 --------- Signed-off-by: f41gh7 <nik@victoriametrics.com>
2026-05-17 08:36:55 +03:00 · 2025-04-08 16:15:48 +02:00
parent f16938bba9
commit 8f3efde55d
2 changed files with 23 additions and 3 deletions
--- a/lib/httpserver/httpserver.go
+++ b/lib/httpserver/httpserver.go
@@ -12,6 +12,7 @@ import (
 	"net"
 	"net/http"
 	"net/http/pprof"
+	"net/url"
 	"os"
 	"runtime"
 	"strconv"
@@ -752,15 +753,32 @@ func GetRequestURI(r *http.Request) string {
 		return requestURI
 	}
 	_ = r.ParseForm()
-	queryArgs := r.PostForm.Encode()
-	if len(queryArgs) == 0 {
+	if len(r.PostForm) == 0 {
 		return requestURI
 	}
+	// code copied from url.Query.Encode
+	var queryArgs strings.Builder
+	for k := range r.PostForm {
+		vs := r.PostForm[k]
+		// mask authKey as well-known secret
+		if k == "authKey" {
+			vs = []string{"secret"}
+		}
+		keyEscaped := url.QueryEscape(k)
+		for _, v := range vs {
+			if queryArgs.Len() > 0 {
+				queryArgs.WriteByte('&')
+			}
+			queryArgs.WriteString(keyEscaped)
+			queryArgs.WriteByte('=')
+			queryArgs.WriteString(url.QueryEscape(v))
+		}
+	}
 	delimiter := "?"
 	if strings.Contains(requestURI, delimiter) {
 		delimiter = "&"
 	}
-	return requestURI + delimiter + queryArgs
+	return requestURI + delimiter + queryArgs.String()
 }

 // Redirect redirects to the given url.