diff --git a/ydb/library/actors/http/http.h b/ydb/library/actors/http/http.h index d499c7788fba..ea8f91f5214f 100644 --- a/ydb/library/actors/http/http.h +++ b/ydb/library/actors/http/http.h @@ -6,6 +6,7 @@ #include #include #include +#include #include "http_config.h" // TODO(xenoxeno): hide in implementation @@ -208,40 +209,57 @@ class THttpBase : public HeaderType, public BufferType { public: TString GetObfuscatedData() const { THeaders headers(HeaderType::Headers); - TStringBuf authorization(headers["Authorization"]); - TStringBuf cookie(headers["Cookie"]); - TStringBuf set_cookie(headers["Set-Cookie"]); - TStringBuf x_ydb_auth_ticket(headers["x-ydb-auth-ticket"]); - TStringBuf x_yacloud_subjecttoken(headers["x-yacloud-subjecttoken"]); + TStringBuf authorizationHeader(headers["Authorization"]); + TStringBuf cookieHeader(headers["Cookie"]); + TStringBuf setCookieHeader(headers["Set-Cookie"]); + TStringBuf xYdbAuthTicketHeader(headers["x-ydb-auth-ticket"]); + TStringBuf xYacloudSubjecttokenHeader(headers["x-yacloud-subjecttoken"]); TString data(GetRawData()); - if (!authorization.empty()) { - auto pos = data.find(authorization); + if (!authorizationHeader.empty()) { + auto pos = data.find(authorizationHeader); if (pos != TString::npos) { - data.replace(pos, authorization.size(), TString("")); + data.replace(pos, authorizationHeader.size(), TString("")); } } - if (!cookie.empty()) { - auto pos = data.find(cookie); + if (!cookieHeader.empty()) { + TStringBuf cookieParser(cookieHeader); + TStringBuilder obfuscated; + for (TStringBuf param = cookieParser.NextTok(';'); !param.empty(); param = cookieParser.NextTok(';')) { + param.SkipPrefix(" "); + TStringBuf name = param.NextTok('='); + if (!obfuscated.empty()) { + obfuscated << ' '; + } + obfuscated << name << '=' << NKikimr::MaskTicket(param) << ';'; + } + auto pos = data.find(cookieHeader); if (pos != TString::npos) { - data.replace(pos, cookie.size(), TString("")); + data.replace(pos, cookieHeader.size(), obfuscated); } } - if (!set_cookie.empty()) { - auto pos = data.find(set_cookie); - if (pos != TString::npos) { - data.replace(pos, set_cookie.size(), TString("")); + if (!setCookieHeader.empty()) { + TStringBuf cookieParser(setCookieHeader); + TStringBuf name = cookieParser.NextTok('='); + TStringBuf value = cookieParser.NextTok(';'); + if (!name.empty()) { + TStringBuilder obfuscated; + obfuscated << name << '=' << NKikimr::MaskTicket(value) << ';' << cookieParser; + auto pos = data.find(setCookieHeader); + if (pos != TString::npos) { + data.replace(pos, setCookieHeader.size(), obfuscated); + } } } - if (!x_ydb_auth_ticket.empty()) { - auto pos = data.find(x_ydb_auth_ticket); + if (!xYdbAuthTicketHeader.empty()) { + auto pos = data.find(xYdbAuthTicketHeader); if (pos != TString::npos) { - data.replace(pos, x_ydb_auth_ticket.size(), TString("")); + data.replace(pos, xYdbAuthTicketHeader.size(), TString("")); } } - if (!x_yacloud_subjecttoken.empty()) { - auto pos = data.find(x_yacloud_subjecttoken); + if (!xYacloudSubjecttokenHeader.empty()) { + auto pos = data.find(xYacloudSubjecttokenHeader); if (pos != TString::npos) { - data.replace(pos, x_yacloud_subjecttoken.size(), TString("")); + data.replace(pos, xYacloudSubjecttokenHeader.size(), TString("")); } } return data; diff --git a/ydb/library/actors/http/ya.make b/ydb/library/actors/http/ya.make index bd1bbd7ebe5c..5943cad80116 100644 --- a/ydb/library/actors/http/ya.make +++ b/ydb/library/actors/http/ya.make @@ -24,6 +24,7 @@ PEERDIR( contrib/libs/zlib ydb/library/actors/core ydb/library/actors/interconnect + ydb/library/security library/cpp/dns library/cpp/monlib/metrics library/cpp/string_utils/quote