fix(security): optimize log behavior

2025-04-07 17:07:09 +00:00 · 2018-09-04 08:16:55 +08:00 · 2018-09-04 08:16:55 +08:00 · 74db93c739
commit 74db93c739
parent d40c426e17
3 changed files with 7 additions and 19 deletions
--- a/config.go
+++ b/config.go
@ -27,7 +27,7 @@ var config = &Config{
 	Timeout:        flag.Int("timeout", getIntEnv("HOOK_TIMEOUT", 10), "Hook maximum delay before timeout (in second)"),
 	ScriptDir:      flag.String("scripts", getEnv("SCRIPTS_DIR", "scripts"), "Scripts directory"),
 	Authentication: flag.String("auth", getEnv("AUTH", "none"), ""),
-	AuthenticationParam: flag.String("authparam", getEnv("AUTH_PARAM", ""), func() string {
+	AuthenticationParam: flag.String("auth-param", getEnv("AUTH_PARAM", ""), func() string {
 		authdocwriter := bytes.NewBufferString("Authentication method. Available methods: ")

 		for key, method := range auth.AvailableMethods {
--- a/main.go
+++ b/main.go
@ -56,7 +56,7 @@ func main() {
 	logger.Init(level)

 	logger.Debug.Println("Starting webhookd server...")
-	logger.Info.Println("Using Authentication:", name)
+	logger.Debug.Println("Using Authentication:", name)
 	authmethod.Init(*config.Debug)

 	router := http.NewServeMux()
--- a/pkg/auth/basic.go
+++ b/pkg/auth/basic.go
@ -12,19 +12,13 @@ import (
 type basicAuth struct {
 	username   string
 	password   string
-	debug      bool
 	authheader string
 }

-func (c *basicAuth) Init(debug bool) {
-	c.debug = debug
-	if debug {
-		logger.Warning.Println("\u001B[33mBasic Auth: Debug mode enabled. Might Leak sentitive information in log output.\u001B[0m")
-	}
-}
+func (c *basicAuth) Init(_ bool) {}

 func (c *basicAuth) Usage() string {
-	return "HTTP Basic Auth. Usage: -auth basic -authparam <username>:<password>[:<realm>]  (example: -auth basic -authparam foo:bar)"
+	return "HTTP Basic Auth. Usage: -auth basic -authparam <username>:<password>[:<realm>]  (example: -auth basic -auth-param foo:bar)"
 }

 func (c *basicAuth) ParseParam(param string) error {
@ -48,21 +42,15 @@ func (c *basicAuth) Middleware() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if username, password, ok := r.BasicAuth(); ok && username == c.username && password == c.password {
-				if c.debug {
-					logger.Debug.Printf("HTTP Basic Auth: %s:%s PASSED\n", username, password)
-				}
+				logger.Info.Printf("HTTP Basic Auth: %s PASSED\n", username)
 				next.ServeHTTP(w, r)
 			} else if !ok {
-				if c.debug {
-					logger.Debug.Println("HTTP Basic Auth: Auth header not present.")
-				}
+				logger.Debug.Println("HTTP Basic Auth: Auth header not present.")
 				w.Header().Add("WWW-Authenticate", c.authheader)
 				w.WriteHeader(401)
 				w.Write([]byte("Authentication required."))
 			} else {
-				if c.debug {
-					logger.Debug.Printf("HTTP Basic Auth: Invalid credentials: %s:%s \n", username, password)
-				}
+				logger.Warning.Printf("HTTP Basic Auth: Invalid credentials for username %s\n", username)
 				w.WriteHeader(403)
 				w.Write([]byte("Forbidden."))
 			}