lib/httpserver: mask authKey at PostFrom

'authKey' is well-known url and form param for VictoriaMetrics components authorization. Previously, it could be printed into stdout via httpserver error logger. It makes this authKey insecure and hard to use. This commit prevents from logging authKey defined at PostForm or as part of url.Query. It's recommneded to transfer authKey via PostForm and it should be implemented at separate PRs. Related issue: https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5973 --------- Signed-off-by: f41gh7 <nik@victoriametrics.com>
2026-05-26 04:57:36 +03:00 · 2025-04-08 16:15:48 +02:00
parent ebe15e0c7b
commit d5522e7c15
2 changed files with 23 additions and 3 deletions
--- a/lib/httpserver/httpserver.go
+++ b/lib/httpserver/httpserver.go
@@ -12,6 +12,7 @@ import (
 	"net"
 	"net/http"
 	"net/http/pprof"
+	"net/url"
 	"os"
 	"runtime"
 	"strconv"
@@ -752,15 +753,32 @@ func GetRequestURI(r *http.Request) string {
 		return requestURI
 	}
 	_ = r.ParseForm()
-	queryArgs := r.PostForm.Encode()
-	if len(queryArgs) == 0 {
+	if len(r.PostForm) == 0 {
 		return requestURI
 	}
+	// code copied from url.Query.Encode
+	var queryArgs strings.Builder
+	for k := range r.PostForm {
+		vs := r.PostForm[k]
+		// mask authKey as well-known secret
+		if k == "authKey" {
+			vs = []string{"secret"}
+		}
+		keyEscaped := url.QueryEscape(k)
+		for _, v := range vs {
+			if queryArgs.Len() > 0 {
+				queryArgs.WriteByte('&')
+			}
+			queryArgs.WriteString(keyEscaped)
+			queryArgs.WriteByte('=')
+			queryArgs.WriteString(url.QueryEscape(v))
+		}
+	}
 	delimiter := "?"
 	if strings.Contains(requestURI, delimiter) {
 		delimiter = "&"
 	}
-	return requestURI + delimiter + queryArgs
+	return requestURI + delimiter + queryArgs.String()
 }

 // Redirect redirects to the given url.