gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(s3): remove customer encryption key from SSE-C debug log (#8875)

Browse Source 
* fix(s3): remove customer encryption key from SSE-C debug log

The debug log in validateAndParseSSECHeaders was logging the raw
customer-provided encryption key bytes in hex format (keyBytes=%x),
leaking sensitive key material to log output. Remove the key bytes
from the log statement while keeping the MD5 hash comparison info.

* Apply suggestion from @gemini-code-assist[bot]

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

---------

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
This commit is contained in:
Chris Lu
2026-04-01 23:23:56 -07:00
committed by GitHub
parent 2a6f27eb08
commit b3e50bb12f
1 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
weed/s3api/s3_sse_c.go
View File

@@ -58,9 +58,9 @@ var (
// SSECustomerKey represents a customer-provided encryption key for SSE-C // SSECustomerKey represents a customer-provided encryption key for SSE-C
type SSECustomerKey struct { type SSECustomerKey struct {
Algorithm string Algorithm string
Key []byte Key []byte
KeyMD5 string KeyMD5 string
} }
// IsSSECRequest checks if the request contains SSE-C headers // IsSSECRequest checks if the request contains SSE-C headers
@@ -119,8 +119,8 @@ func validateAndParseSSECHeaders(algorithm, key, keyMD5 string) (*SSECustomerKey
sum := md5.Sum(keyBytes) sum := md5.Sum(keyBytes)
expectedMD5 := base64.StdEncoding.EncodeToString(sum[:]) expectedMD5 := base64.StdEncoding.EncodeToString(sum[:])
// Debug logging for MD5 validation // Debug logging for MD5 validation (never log key material)
glog.V(4).Infof("SSE-C MD5 validation: provided='%s', expected='%s', keyBytes=%x", keyMD5, expectedMD5, keyBytes) glog.V(4).Infof("SSE-C MD5 validation: provided='%s', expected='%s'", keyMD5, expectedMD5)
if keyMD5 != expectedMD5 { if keyMD5 != expectedMD5 {
glog.Errorf("SSE-C MD5 mismatch: provided='%s', expected='%s'", keyMD5, expectedMD5) glog.Errorf("SSE-C MD5 mismatch: provided='%s', expected='%s'", keyMD5, expectedMD5)