mirror of
https://github.com/element-hq/synapse.git
synced 2024-11-25 19:15:51 +03:00
Fix access token leak to logs from proxyagent (#13855)
This can happen specifically with an application service `/transactions/10722?access_token=leaked` request Fix https://github.com/matrix-org/synapse/issues/13010 --- Saw an example leak in https://github.com/matrix-org/synapse/issues/13423#issuecomment-1205348482 ``` 2022-08-04 14:47:57,925 - synapse.http.client - 401 - DEBUG - as-sender-signal-1 - Sending request PUT http://localhost:29328/transactions/10722?access_token=<redacted> 2022-08-04 14:47:57,926 - synapse.http.proxyagent - 223 - DEBUG - as-sender-signal-1 - Requesting b'http://localhost:29328/transactions/10722?access_token=leaked' via <HostnameEndpoint localhost:29328> ```
This commit is contained in:
parent
e3512a7719
commit
db868db594
2 changed files with 7 additions and 1 deletions
1
changelog.d/13855.bugfix
Normal file
1
changelog.d/13855.bugfix
Normal file
|
@ -0,0 +1 @@
|
||||||
|
Fix access token leak to logs from proxy agent.
|
|
@ -36,6 +36,7 @@ from twisted.web.error import SchemeNotSupported
|
||||||
from twisted.web.http_headers import Headers
|
from twisted.web.http_headers import Headers
|
||||||
from twisted.web.iweb import IAgent, IBodyProducer, IPolicyForHTTPS
|
from twisted.web.iweb import IAgent, IBodyProducer, IPolicyForHTTPS
|
||||||
|
|
||||||
|
from synapse.http import redact_uri
|
||||||
from synapse.http.connectproxyclient import HTTPConnectProxyEndpoint, ProxyCredentials
|
from synapse.http.connectproxyclient import HTTPConnectProxyEndpoint, ProxyCredentials
|
||||||
from synapse.types import ISynapseReactor
|
from synapse.types import ISynapseReactor
|
||||||
|
|
||||||
|
@ -220,7 +221,11 @@ class ProxyAgent(_AgentBase):
|
||||||
self._reactor, parsed_uri.host, parsed_uri.port, **self._endpoint_kwargs
|
self._reactor, parsed_uri.host, parsed_uri.port, **self._endpoint_kwargs
|
||||||
)
|
)
|
||||||
|
|
||||||
logger.debug("Requesting %s via %s", uri, endpoint)
|
logger.debug(
|
||||||
|
"Requesting %s via %s",
|
||||||
|
redact_uri(uri.decode("ascii", errors="replace")),
|
||||||
|
endpoint,
|
||||||
|
)
|
||||||
|
|
||||||
if parsed_uri.scheme == b"https":
|
if parsed_uri.scheme == b"https":
|
||||||
tls_connection_creator = self._policy_for_https.creatorForNetloc(
|
tls_connection_creator = self._policy_for_https.creatorForNetloc(
|
||||||
|
|
Loading…
Reference in a new issue