fix(rest): Filter sensitive headers from error logs (#2117)

cmackenzie1 · cmackenzie1 · commit 6e69dd0eb4ef · 2026-02-09T13:35:49.000-08:00
Sensitive headers like Set-Cookie, Authorization, and Cookie were being
included in error messages, potentially exposing authentication tokens
and session information in logs.

This change filters out sensitive headers entirely from error context
rather than logging their values, preventing credential leakage.
diff --git a/crates/catalog/rest/src/client.rs b/crates/catalog/rest/src/client.rs
@@ -278,14 +278,40 @@ pub(crate) async fn deserialize_catalog_response<R: DeserializeOwned>(
     })
 }
 
+/// Headers that contain sensitive information and should be excluded from logs.
+const SENSITIVE_HEADERS: &[&str] = &[
+    "authorization",
+    "proxy-authorization",
+    "set-cookie",
+    "cookie",
+    "x-api-key",
+    "x-auth-token",
+];
+
+/// Returns true if the header name is considered sensitive.
+fn is_sensitive_header(name: &str) -> bool {
+    let name_lower = name.to_lowercase();
+    SENSITIVE_HEADERS.iter().any(|h| name_lower == *h)
+}
+
+/// Filters out sensitive headers and returns a debug-formatted string.
+fn format_headers_redacted(headers: &HeaderMap) -> String {
+    let filtered: HashMap<&str, &str> = headers
+        .iter()
+        .filter(|(name, _)| !is_sensitive_header(name.as_str()))
+        .filter_map(|(name, value)| value.to_str().ok().map(|v| (name.as_str(), v)))
+        .collect();
+    format!("{:?}", filtered)
+}
+
 /// Deserializes a unexpected catalog response into an error.
 pub(crate) async fn deserialize_unexpected_catalog_error(response: Response) -> Error {
     let err = Error::new(
         ErrorKind::Unexpected,
         "Received response with unexpected status code",
     )
     .with_context("status", response.status().to_string())
-    .with_context("headers", format!("{:?}", response.headers()));
+    .with_context("headers", format_headers_redacted(response.headers()));
 
     let bytes = match response.bytes().await {
         Ok(bytes) => bytes,
@@ -297,3 +323,99 @@ pub(crate) async fn deserialize_unexpected_catalog_error(response: Response) ->
     }
     err.with_context("json", String::from_utf8_lossy(&bytes))
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_format_headers_redacted_empty() {
+        let headers = HeaderMap::new();
+        let result = format_headers_redacted(&headers);
+        assert_eq!(result, "{}");
+    }
+
+    #[test]
+    fn test_format_headers_redacted_non_sensitive() {
+        let mut headers = HeaderMap::new();
+        headers.insert("content-type", "application/json".parse().unwrap());
+        headers.insert("x-request-id", "abc123".parse().unwrap());
+
+        let result = format_headers_redacted(&headers);
+
+        assert!(result.contains("content-type"));
+        assert!(result.contains("application/json"));
+        assert!(result.contains("x-request-id"));
+        assert!(result.contains("abc123"));
+    }
+
+    #[test]
+    fn test_format_headers_redacted_filters_sensitive() {
+        let mut headers = HeaderMap::new();
+        headers.insert("authorization", "Bearer secret-token".parse().unwrap());
+        headers.insert("content-type", "application/json".parse().unwrap());
+
+        let result = format_headers_redacted(&headers);
+
+        // Sensitive header should be filtered out entirely
+        assert!(!result.contains("authorization"));
+        assert!(!result.contains("secret-token"));
+        // Non-sensitive header should be present
+        assert!(result.contains("content-type"));
+        assert!(result.contains("application/json"));
+    }
+
+    #[test]
+    fn test_format_headers_redacted_filters_set_cookie() {
+        let mut headers = HeaderMap::new();
+        headers.insert(
+            "set-cookie",
+            "CF_Authorization=sensitive-session-token; Path=/; Secure;"
+                .parse()
+                .unwrap(),
+        );
+        headers.insert("server", "cloudflare".parse().unwrap());
+
+        let result = format_headers_redacted(&headers);
+
+        // Sensitive header should be filtered out entirely
+        assert!(!result.contains("set-cookie"));
+        assert!(!result.contains("sensitive-session-token"));
+        // Non-sensitive header should be present
+        assert!(result.contains("server"));
+        assert!(result.contains("cloudflare"));
+    }
+
+    #[test]
+    fn test_format_headers_redacted_filters_all_sensitive() {
+        let mut headers = HeaderMap::new();
+        headers.insert("authorization", "Bearer token".parse().unwrap());
+        headers.insert("proxy-authorization", "Basic creds".parse().unwrap());
+        headers.insert("set-cookie", "session=abc".parse().unwrap());
+        headers.insert("cookie", "session=abc".parse().unwrap());
+        headers.insert("x-api-key", "api-key-123".parse().unwrap());
+        headers.insert("x-auth-token", "auth-token-456".parse().unwrap());
+        headers.insert("x-request-id", "req-123".parse().unwrap());
+
+        let result = format_headers_redacted(&headers);
+
+        // All sensitive headers should be filtered out
+        assert!(!result.contains("authorization"));
+        assert!(!result.contains("proxy-authorization"));
+        assert!(!result.contains("set-cookie"));
+        assert!(!result.contains("cookie"));
+        assert!(!result.contains("x-api-key"));
+        assert!(!result.contains("x-auth-token"));
+
+        // Ensure no sensitive values leaked
+        assert!(!result.contains("Bearer token"));
+        assert!(!result.contains("Basic creds"));
+        assert!(!result.contains("session=abc"));
+        assert!(!result.contains("api-key-123"));
+        assert!(!result.contains("auth-token-456"));
+
+        // Non-sensitive header should be present
+        assert!(result.contains("x-request-id"));
+        assert!(result.contains("req-123"));
+    }
+}
