Page MenuHomePhabricator

Citoid is logging all request / response headers as separate fields
Open, Needs TriagePublic

Description

This is similar but different than T238083: Citoid logs fields explosion in which it looks like citoid will log all headers for its error request/responses as separate fields, e.g.

          "err_headers_accept-ch": {
          "err_headers_accept-ch-lifetime": {
          "err_headers_accept-ranges": {
          "err_headers_access-control-allow-credentials": {
...
          "err_headers_x-via-edge": {
          "err_headers_x-via-fastly": {
          "err_headers_x-wix-request-id": {
          "err_headers_x-xss-protection": {

This is problematic because such headers can be controlled by users and might end up spamming elasticsearch fields. I don't know if this is a citoid thing or a preq library thing though (cc @mobrovac) and it isn't super urgent, but a potential problem for sure.

More context of this (elasticsearch fields explosion) work: T180051 T189333

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 3 2019, 1:47 PM
fgiunchedi updated the task description. (Show Details)Dec 3 2019, 1:47 PM
fgiunchedi added a subscriber: Wikimedia-Logstash.