gilles/Strix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix credentials leaking in debug logs (#4)

Browse Source 
Add a secret-masking slog.Handler that automatically replaces registered
passwords with "***" in all log output. Secrets are registered per-scan
when a discovery request arrives and unregistered when it completes.

This approach masks credentials everywhere they appear in logs — URL
userinfo, query parameters, path segments, and Go HTTP error messages —
without modifying any business logic in scanner, builder, tester, or
ONVIF components. API responses are unaffected and still return full
URLs with credentials for frontend use.
This commit is contained in:
eduard256
2026-03-20 11:03:01 +00:00
parent e269e243da
commit 8cf05a1576
7 changed files with 422 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/utils/logger/adapter.go
+3 -2
View File
@@ -5,11 +5,12 @@ import "log/slog"
// Adapter wraps slog.Logger to match our interface
type Adapter struct {
*slog.Logger
Secrets *SecretStore
}
// NewAdapter creates a new logger adapter
func NewAdapter(logger *slog.Logger) *Adapter {
return &Adapter{Logger: logger}
func NewAdapter(logger *slog.Logger, secrets *SecretStore) *Adapter {
return &Adapter{Logger: logger, Secrets: secrets}
}
// Debug logs a debug message