Improve SSRF rejection logging with request context#232
Conversation
Enrich SSRF validation failure logs to support security monitoring and incident investigation. Each rejection now includes the peer address, HTTP method, and request path. Changes: - Differentiate rejection reasons: X-Forwarded-For present, token mismatch, and missing token header - Thread peer_addr from TCP accept through to validate_token - Never log token values, query parameters, or header values to avoid exposing sensitive information
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #232 +/- ##
==========================================
+ Coverage 86.27% 86.32% +0.05%
==========================================
Files 34 34
Lines 9331 9369 +38
Branches 9331 9369 +38
==========================================
+ Hits 8050 8088 +38
Misses 1148 1148
Partials 133 133 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Keep the original message text verbatim and append additional context (reason, peer, method, path) after a semicolon delimiter, so existing customer log filters on the original messages continue to match.
There was a problem hiding this comment.
⚠️ Performance Alert ⚠️
Possible performance regression was detected for benchmark 'Secrets Manager Caching Benchmarks'.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 1.50.
| Benchmark suite | Current: 012e36d | Previous: d47a49d | Ratio |
|---|---|---|---|
CacheEviction |
78732 ns/iter (± 11867) |
49133 ns/iter (± 12612) |
1.60 |
This comment was automatically generated by workflow using github-action-benchmark.
Add tests that explicitly exercise the token mismatch path (recognized header with wrong value) and the missing header path (no recognized SSRF header present) to verify both branches produce the expected 403 response. Also fix doc comment to use Err(HttpError) instead of Err((u16, String)).
|
Claude finished @reyhankoyun's task in 3m 15s —— View job Code Review — PR #232: Improve SSRF rejection logging
Overall this is a clean, well-scoped change. Threading ✅ Strengths
🔎 Observations & suggestions (all non-blocking)
⚡ PerformanceThe benchmark alert on 🔒 SecurityNo concerns. The change is defensive (better observability for SSRF rejections), doesn't alter the auth decision logic, and No blocking issues. LGTM pending the team's call on point (1). |
Description
Why is this change being made?
What is changing?
peer_addrfrom TCPaccept()through the request handling chain tovalidate_token().reason=field in the appended context.Related Links
Testing
How was this tested?
cargo test --package aws_secretsmanager_provider)cargo check --workspace)When testing locally, provide testing artifact(s):
cargo test --package aws_secretsmanager_provider— 93 passed, 0 failedcargo check --workspace --exclude integration-tests— success, no errorsReviewee Checklist
Update the checklist after submitting the PR
If not, why:
If not, why:
If not, why:
If not, why:
If not, why: Change is to log message formatting only; no new integration test scenarios needed
If not, why: No behavioral change to HTTP responses or caching logic
If not, why:
If not, why:
If not, why: N/A — internal log format change
If not, why: N/A — no breaking changes
Reviewer Checklist
All reviewers please ensure the following are true before reviewing:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.