Skip to content

fix: redact sensitive data from plugin log output#13123

Open
Baoyuantop wants to merge 7 commits intoapache:masterfrom
Baoyuantop:fix-log-key
Open

fix: redact sensitive data from plugin log output#13123
Baoyuantop wants to merge 7 commits intoapache:masterfrom
Baoyuantop:fix-log-key

Conversation

@Baoyuantop
Copy link
Copy Markdown
Contributor

@Baoyuantop Baoyuantop commented Mar 27, 2026

Description

I reviewed all the code and removed any instances where the key might have been printed in the logs.

Which issue(s) this PR fixes:

Fixes #13118

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change
  • I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

@dosubot dosubot bot added size:L This PR changes 100-499 lines, ignoring generated files. bug Something isn't working labels Mar 27, 2026
Baoyuantop and others added 2 commits March 30, 2026 11:15
@Baoyuantop
fix: update test assertions to match new log format
ce00c8b 
- jwt-auth-more-algo.t: update error_log patterns from JSON format
  '"alg":"XXX"' to plain text 'parsed jwt alg: XXX'
- wolf-rbac.t: reduce grep_error_log_out expected count from 3 to 2
  since res.body log was removed
- ext-plugin/sanity.t: remove ' conf: [...]' from regex since conf
  is no longer logged after token redaction

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@Baoyuantop
Merge branch 'master' into fix-log-key
6046089
Baoyuantop and others added 4 commits April 1, 2026 17:08
@Baoyuantop
fix: address review comments from PR#1322
e339634 
- proxy-cache/proxy-mirror: revert over-restrictive log changes; cache
  key and mirror conf contain no sensitive data (per review comments)
- wolf-rbac: remove wolf_token from perm_item to prevent accidental
  serialization, remove consumers dump, strip request body/headers/
  response body from request_to_wolf_server logs, replace consumer
  object dump with appid-only log in wolf_rbac_login
- ai-aliyun-content-moderation: replace str_to_sign debug log (which
  contained AccessKeyId and user content) with params count only

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@Baoyuantop
fix: remove log
54ca33b
@Baoyuantop
Merge branch 'master' into fix-log-key
cab9084
@Baoyuantop
fix(wolf-rbac): log error reason to preserve test grep patterns
7f7404c 
The wolf server returns error codes (e.g., ERR_USERNAME_MISSING) in
body.reason. Log this non-sensitive field instead of 'ok=false' so
that existing grep_error_log test patterns continue to match.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@membphis membphis Awaiting requested review from membphis

@nic-6443 nic-6443 Awaiting requested review from nic-6443

@shreemaan-abhishek shreemaan-abhishek Awaiting requested review from shreemaan-abhishek

At least 3 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

bug Something isn't working size:L This PR changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: ai plugins log summaries and payloads even when logging options are set to false

1 participant

@Baoyuantop