Merge pull request #1010 from sabeechen/new-backup-interval

Sanitize sensitive strings in the webserver logging

hassio-google-drive-backup/backup/ui/uiserver.py

@@ -794,22 +794,38 @@ async def shutdown(self):
     @web.middleware
     async def error_middleware(self, request: Request, handler):
         try:
+            url_sanitized = self._sanitize(request.url)
             log_trace = self.config.get(Setting.TRACE_REQUESTS)
             if log_trace:
                 logger.trace("Serving %s %s to %s", request.method,
-                            request.url, request.remote)
+                            url_sanitized, request.remote)
             handled = await handler(request)
             if log_trace:
-                logger.trace("Completed %s %s", request.method, request.url)
+                logger.trace("Completed %s %s", request.method, url_sanitized)
             return handled
         except Exception as ex:
             if isinstance(ex, HTTPException):
                 raise
-            logger.error("Error serving %s %s", request.method, request.url)
+            logger.error("Error serving %s %s", request.method, url_sanitized)
             logger.error(logger.formatException(ex))
             data = self.processError(ex)
             return web.json_response(data, status=data['http_status'])
 
+    def _sanitize(self, url: URL):
+        """Sanitizes a url by replacing any instances of client_id and client_secret query parameters with <redacted>"""
+        try:
+            query = {a[0]: a[1] for a in url.query.items()}
+            if 'client_id' in query:
+                query['client_id'] = 'redacted'
+            if 'client_secret' in query:
+                query['client_secret'] = 'redacted'
+            url = url.with_query(query)
+        except Exception as e:
+            # Fall back to just returning the url if it was malformed
+            pass
+        return url
+
+
     def processError(self, e):
         if isinstance(e, KnownError):
             known: KnownError = e

hassio-google-drive-backup/tests/test_uiserver.py

@@ -1178,3 +1178,8 @@ async def test_oob_warning(reader: ReaderHelper, ui_server: UiServer, config: Co
     data_cache.addFlag(UpgradeFlags.NOTIFIED_ABOUT_OOB_FLOW)
     status = await reader.getjson("getstatus")
     assert status['warn_oob_oauth'] is False
+
+
+@pytest.mark.asyncio
+async def test_url_sanitize(ui_server: UiServer):
+    assert ui_server._sanitize(URL("http://localhost/test?client_id=im_a_secret&client_secret=im_a_secret&ignore=shown")) == URL("http://localhost/test?client_id=redacted&client_secret=redacted&ignore=shown")