fix: Hide sensitive items for restful get configs (#44057)

issue:https://github.com/milvus-io/milvus/issues/44065 Signed-off-by: yhmo <yihua.mo@zilliz.com>
2025-12-06 17:18:35 +08:00 · 2025-08-27 11:09:52 +08:00 · 2025-08-27 11:09:52 +08:00 · 55b24b7a78
commit 55b24b7a78
parent 208a345a3d
2 changed files with 53 additions and 0 deletions
--- a/internal/proxy/http_req_impl.go
+++ b/internal/proxy/http_req_impl.go
@ -46,9 +46,27 @@ var (
 	httpDBName         = "db_name"
 	HTTPCollectionName = "collection_name"
 	UnknownData        = "unknown"
+	sensitiveKeys      = []string{"secretaccesskey", "secret_access_key", "password"}
 )

+func hideSensitive(configs map[string]string) {
+	checkFunc := func(key string) bool {
+		for _, sensitive := range sensitiveKeys {
+			if strings.Contains(strings.ToLower(key), sensitive) {
+				return true
+			}
+		}
+		return false
+	}
+	for key := range configs {
+		if checkFunc(key) {
+			configs[key] = "*****"
+		}
+	}
+}
+
 func getConfigs(configs map[string]string) gin.HandlerFunc {
+	hideSensitive(configs)
 	return func(c *gin.Context) {
 		bs, err := json.Marshal(configs)
 		if err != nil {
--- a/internal/proxy/http_req_impl_test.go
+++ b/internal/proxy/http_req_impl_test.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"net/http"
 	"net/http/httptest"
+	"strings"
 	"testing"

 	"github.com/cockroachdb/errors"
@ -21,6 +22,40 @@ import (
 	"github.com/milvus-io/milvus/pkg/v2/util/paramtable"
 )

+func TestHideSensitive(t *testing.T) {
+	configs := map[string]string{
+		"dummy":                               "ok",
+		"MyPassword":                          "123456",
+		"your_secret_access_Key":              "ABCD",
+		"Foo":                                 "password",
+		"SECRETACCESSKEY2":                    "XXX",
+		"minio.secretAccessKey":               "secretAccessKey",
+		"common.security.defaultRootPassword": "milvus",
+	}
+	copiedConfigs := make(map[string]string)
+	for k, v := range configs {
+		copiedConfigs[k] = v
+	}
+	hideSensitive(configs)
+
+	for k := range copiedConfigs {
+		assert.Contains(t, configs, k)
+	}
+	for k, v := range configs {
+		contains := false
+		for _, sensitive := range sensitiveKeys {
+			if strings.Contains(strings.ToLower(k), sensitive) {
+				assert.Equal(t, v, "*****")
+				contains = true
+				break
+			}
+		}
+		if !contains {
+			assert.Equal(t, v, copiedConfigs[k])
+		}
+	}
+}
+
 func TestGetConfigs(t *testing.T) {
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)