API avoid logging passwords (#5001)

* API avoid logging passwords * Strip passwords and tokens from API logs * Only log failed requests information when in debug mode * Remove debug SHA * Clean also Apache logs * Better comments * Redact also token parameters * shfmt * Simplify whitespace * redacted
author: Alexandre Alapetite <alexandre@alapetite.fr> 2023-01-11 23:27:14 +0100
committer: GitHub <noreply@github.com> 2023-01-11 23:27:14 +0100
commit: 075cf4c800063e3cc65c3d41a9c23222e8ebb554 (patch)
tree: 6fb7d9c66fdbafea83f160c9043d9fd688844c1b /cli
parent: c75baefe40952e6ae80aa8570c0acfc9baf7d997 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/cli/sensitive-log.sh b/cli/sensitive-log.sh
new file mode 100755
index 000000000..40309b0db
--- /dev/null
+++ b/cli/sensitive-log.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+# Strips sensitive passwords from (Apache) logs
+
+# For e.g. GNU systems such as Debian
+# N.B.: `sed -u` is not available in BusyBox and without it there are buffering delays (even with stdbuf)
+sed -Eu 's/([?&])(Passwd|token)=[^& \t]+/\1\2=redacted/ig' 2>/dev/null ||
+
+	# For systems with gawk (not available by default in Docker of Debian or Alpine) or with BuzyBox such as Alpine
+	$(which gawk || which awk) -v IGNORECASE=1 '{ print gensub(/([?&])(Passwd|token)=[^& \t]+/, "\\1\\2=redacted", "g") }'
author	Alexandre Alapetite <alexandre@alapetite.fr>	2023-01-11 23:27:14 +0100
committer	GitHub <noreply@github.com>	2023-01-11 23:27:14 +0100
commit	075cf4c800063e3cc65c3d41a9c23222e8ebb554 (patch)
tree	6fb7d9c66fdbafea83f160c9043d9fd688844c1b /cli
parent	c75baefe40952e6ae80aa8570c0acfc9baf7d997 (diff)