1 // Copyright 2020 Google LLC All Rights Reserved. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // Package redact contains a simple context signal for redacting requests. 16 package redact 17 18 import ( 19 "context" 20 "errors" 21 "net/url" 22 ) 23 24 type contextKey string 25 26 var redactKey = contextKey("redact") 27 28 // NewContext creates a new ctx with the reason for redaction. 29 func NewContext(ctx context.Context, reason string) context.Context { 30 return context.WithValue(ctx, redactKey, reason) 31 } 32 33 // FromContext returns the redaction reason, if any. 34 func FromContext(ctx context.Context) (bool, string) { 35 reason, ok := ctx.Value(redactKey).(string) 36 return ok, reason 37 } 38 39 // Error redacts potentially sensitive query parameter values in the URL from the error's message. 40 // 41 // If the error is a *url.Error, this returns a *url.Error with the URL redacted. 42 // Any other error type, or nil, is returned unchanged. 43 func Error(err error) error { 44 // If the error is a url.Error, we can redact the URL. 45 // Otherwise (including if err is nil), we can't redact. 46 var uerr *url.Error 47 if ok := errors.As(err, &uerr); !ok { 48 return err 49 } 50 u, perr := url.Parse(uerr.URL) 51 if perr != nil { 52 return err // If the URL can't be parsed, just return the original error. 53 } 54 uerr.URL = URL(u).String() // Update the URL to the redacted URL. 55 return uerr 56 } 57 58 // The set of query string keys that we expect to send as part of the registry 59 // protocol. Anything else is potentially dangerous to leak, as it's probably 60 // from a redirect. These redirects often included tokens or signed URLs. 61 var paramAllowlist = map[string]struct{}{ 62 // Token exchange 63 "scope": {}, 64 "service": {}, 65 // Cross-repo mounting 66 "mount": {}, 67 "from": {}, 68 // Layer PUT 69 "digest": {}, 70 // Listing tags and catalog 71 "n": {}, 72 "last": {}, 73 } 74 75 // URL redacts potentially sensitive query parameter values from the URL's query string. 76 func URL(u *url.URL) *url.URL { 77 qs := u.Query() 78 for k, v := range qs { 79 for i := range v { 80 if _, ok := paramAllowlist[k]; !ok { 81 // key is not in the Allowlist 82 v[i] = "REDACTED" 83 } 84 } 85 } 86 r := *u 87 r.RawQuery = qs.Encode() 88 return &r 89 } 90