Adds a note about obfuscating query name/ID from the logs.

2015-11-11 22:54:55 -08:00 · 2015-11-11 22:54:55 -08:00 · 978fb443a7
parent 7762a828d3
commit 978fb443a7
1 changed files with 9 additions and 0 deletions
--- a/command/agent/http.go
+++ b/command/agent/http.go
@ -310,6 +310,15 @@ func (s *HTTPServer) wrap(handler func(resp http.ResponseWriter, req *http.Reque
 			}
 		}

+		// TODO (slackpad) We may want to consider redacting prepared
+		// query names/IDs here since they are proxies for tokens. But,
+		// knowing one only gives you read access to service listings
+		// which is pretty trivial, so it's probably not worth the code
+		// complexity and overhead of filtering them out. You can't
+		// recover the token it's a proxy for with just the query info;
+		// you'd need the actual token (or a management token) to read
+		// that back.
+
 		// Invoke the handler
 		start := time.Now()
 		defer func() {