add option to redact sensitive query params

Author: MinhDang685

okhttp-logging-interceptor/api/logging-interceptor.api

@@ -7,6 +7,7 @@ public final class okhttp3/logging/HttpLoggingInterceptor : okhttp3/Interceptor
 	public fun intercept (Lokhttp3/Interceptor$Chain;)Lokhttp3/Response;
 	public final fun level (Lokhttp3/logging/HttpLoggingInterceptor$Level;)V
 	public final fun redactHeader (Ljava/lang/String;)V
+	public final fun redactQueryParams ([Ljava/lang/String;)V
 	public final fun setLevel (Lokhttp3/logging/HttpLoggingInterceptor$Level;)Lokhttp3/logging/HttpLoggingInterceptor;
 }
 

okhttp-logging-interceptor/src/main/kotlin/okhttp3/logging/HttpLoggingInterceptor.kt

@@ -22,6 +22,7 @@ import java.nio.charset.Charset
 import java.util.TreeSet
 import java.util.concurrent.TimeUnit
 import okhttp3.Headers
+import okhttp3.HttpUrl
 import okhttp3.Interceptor
 import okhttp3.OkHttpClient
 import okhttp3.Response
@@ -46,6 +47,8 @@ class HttpLoggingInterceptor
   ) : Interceptor {
     @Volatile private var headersToRedact = emptySet<String>()
 
+    @Volatile private var queryParamsNameToRedact = emptySet<String>()
+
     @set:JvmName("level")
     @Volatile
     var level = Level.NONE
@@ -132,6 +135,13 @@ class HttpLoggingInterceptor
       headersToRedact = newHeadersToRedact
     }
 
+    fun redactQueryParams(vararg name: String) {
+      val newQueryParamsNameToRedact = TreeSet(String.CASE_INSENSITIVE_ORDER)
+      newQueryParamsNameToRedact += queryParamsNameToRedact
+      newQueryParamsNameToRedact.addAll(name)
+      queryParamsNameToRedact = newQueryParamsNameToRedact
+    }
+
     /**
      * Sets the level and returns this.
      *
@@ -168,7 +178,7 @@ class HttpLoggingInterceptor
 
       val connection = chain.connection()
       var requestStartMessage =
-        ("--> ${request.method} ${request.url}${if (connection != null) " " + connection.protocol() else ""}")
+        ("--> ${request.method} ${sanitizeUrl(request.url)}${if (connection != null) " " + connection.protocol() else ""}")
       if (!logHeaders && requestBody != null) {
         requestStartMessage += " (${requestBody.contentLength()}-byte body)"
       }
@@ -251,7 +261,7 @@ class HttpLoggingInterceptor
         buildString {
           append("<-- ${response.code}")
           if (response.message.isNotEmpty()) append(" ${response.message}")
-          append(" ${response.request.url} (${tookMs}ms")
+          append(" ${sanitizeUrl(response.request.url)} (${tookMs}ms")
           if (!logHeaders) append(", $bodySize body")
           append(")")
         },
@@ -312,6 +322,29 @@ class HttpLoggingInterceptor
       return response
     }
 
+    private fun sanitizeUrl(url: HttpUrl): String {
+      val params = ArrayList<Pair<String, String>>()
+      for (parameterName in url.queryParameterNames) {
+        params.add(
+          Pair(
+            first = parameterName,
+            second = if (parameterName in queryParamsNameToRedact) "██" else url.queryParameter(parameterName) ?: "",
+          ),
+        )
+      }
+      val queryParamsBuilder = StringBuilder()
+      val totalParam = params.size
+      if (totalParam > 0) {
+        queryParamsBuilder.append("?")
+        params.forEachIndexed { index, param ->
+          val suffix = if (index != totalParam - 1) "&" else ""
+          queryParamsBuilder.append("${param.first}=${param.second}$suffix")
+        }
+      }
+
+      return "${url.toString().substringBefore("?")}$queryParamsBuilder"
+    }
+
     private fun logHeader(
       headers: Headers,
       i: Int,

okhttp-logging-interceptor/src/test/java/okhttp3/logging/HttpLoggingInterceptorTest.kt

@@ -903,6 +903,51 @@ class HttpLoggingInterceptorTest {
       .assertNoMoreLogs()
   }
 
+  @Test
+  fun sensitiveQueryParamsAreRedacted() {
+    url = server.url("/api/login?user=test_user&authentication=basic&password=confidential_password")
+    val sanitizedUrl = "${server.url("/")}api/login?user=██&authentication=basic&password=██"
+    val sanitizedUrlPattern = sanitizedUrl.replace("?", """\?""")
+
+    val networkInterceptor =
+      HttpLoggingInterceptor(networkLogs).setLevel(
+        Level.BASIC,
+      )
+    networkInterceptor.redactQueryParams("user", "passWord")
+
+    val applicationInterceptor =
+      HttpLoggingInterceptor(applicationLogs).setLevel(
+        Level.BASIC,
+      )
+    applicationInterceptor.redactQueryParams("user", "PassworD")
+
+    client =
+      OkHttpClient.Builder()
+        .addNetworkInterceptor(networkInterceptor)
+        .addInterceptor(applicationInterceptor)
+        .build()
+    server.enqueue(
+      MockResponse.Builder()
+        .build(),
+    )
+    val response =
+      client
+        .newCall(
+          request()
+            .build(),
+        )
+        .execute()
+    response.body.close()
+    applicationLogs
+      .assertLogEqual("--> GET $sanitizedUrl")
+      .assertLogMatch(Regex("""<-- 200 OK $sanitizedUrlPattern \(\d+ms, \d+-byte body\)"""))
+      .assertNoMoreLogs()
+    networkLogs
+      .assertLogEqual("--> GET $sanitizedUrl http/1.1")
+      .assertLogMatch(Regex("""<-- 200 OK $sanitizedUrlPattern \(\d+ms, \d+-byte body\)"""))
+      .assertNoMoreLogs()
+  }
+
   @Test
   fun duplexRequestsAreNotLogged() {
     platform.assumeHttp2Support()