Conversation
| if len(options.reqHeaders) > 0 && len(options.reqHeaders[0]) != 0 { | ||
| for _, header := range options.headers { | ||
| fmt.Printf("%s \t\t%s\n", "Headers:", header) | ||
| fmt.Printf("%s \t\t%s: %s\n", "Headers:", header.key, header.value) |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To fix the problem, the code should avoid printing potentially sensitive header values in clear text. The general approaches are: (a) omit sensitive headers entirely from logs, (b) mask/obfuscate their values (e.g., keep only prefix, replace rest with ***), or (c) only log header names. The safest and simplest fix that preserves functionality is to keep visibility of which headers are being used while redacting their values when printing configuration.
Concretely, we can change showInfo in cmd/requester.go so that it does not print header.value directly. A good balance is to log header names and a masked version of their values, and to treat well-known sensitive headers (e.g., Authorization, Cookie, Set-Cookie, X-Api-Key, X-API-KEY, Proxy-Authorization) as always fully redacted. For all headers, we can implement a small helper like maskHeaderValue that returns "***" or a partially masked string. This helper will be added in cmd/requester.go just above showInfo, and showInfo’s loop will be updated to call it instead of printing the raw header.value. No behavior outside logging output is changed, and no new external dependencies are needed.
Specifically:
- In
cmd/requester.go, define a helper function such as:
func maskHeaderValue(name, value string) string {
// normalize name
lower := strings.ToLower(strings.TrimSpace(name))
switch lower {
case "authorization", "proxy-authorization", "cookie", "set-cookie", "x-api-key", "x-api-key", "x-auth-token":
return "***"
}
if len(value) <= 4 {
return "***"
}
return value[:2] + "..." + "***"
}(adjusted to the project’s style).
- Modify the loop in
showInfofrom printing%s: %swithheader.valueto usingmaskHeaderValue(header.key, header.value).
This ensures that even if request files contain sensitive headers, they will not be logged in clear text.
| @@ -136,6 +136,23 @@ | ||
| fmt.Printf("%s \t%20s %s\n", code, color.BlueString(resultContentLength), result.line) | ||
| } | ||
|
|
||
| // maskHeaderValue obfuscates potentially sensitive header values before logging. | ||
| // It fully redacts well-known sensitive headers and partially masks others. | ||
| func maskHeaderValue(name, value string) string { | ||
| headerName := strings.ToLower(strings.TrimSpace(name)) | ||
| switch headerName { | ||
| case "authorization", "proxy-authorization", "cookie", "set-cookie", "x-api-key", "x-api-key", "x-auth-token": | ||
| return "***" | ||
| } | ||
| // For non-explicitly sensitive headers, avoid logging the full value. | ||
| trimmed := strings.TrimSpace(value) | ||
| if len(trimmed) <= 4 { | ||
| return "***" | ||
| } | ||
| // Show only a small prefix and mask the rest. | ||
| return trimmed[:2] + "...***" | ||
| } | ||
|
|
||
| // showInfo prints the configuration options used for the scan. | ||
| func showInfo(options RequestOptions) { | ||
| var statusCodeStrings []string | ||
| @@ -148,7 +165,8 @@ | ||
| fmt.Printf("%s \t\t%s\n", "Target:", options.uri) | ||
| if len(options.reqHeaders) > 0 && len(options.reqHeaders[0]) != 0 { | ||
| for _, header := range options.headers { | ||
| fmt.Printf("%s \t\t%s: %s\n", "Headers:", header.key, header.value) | ||
| maskedValue := maskHeaderValue(header.key, header.value) | ||
| fmt.Printf("%s \t\t%s: %s\n", "Headers:", header.key, maskedValue) | ||
| } | ||
| } else { | ||
| fmt.Printf("%s \t\t%s\n", "Headers:", "false") |
Changes
Testing