Skip to content

[fix](stream load) mask sensitive stream load headers#64914

Open
oldkingnana wants to merge 1 commit into
apache:branch-4.1from
oldkingnana:learn/debug-stream-load-header-leak
Open

[fix](stream load) mask sensitive stream load headers#64914
oldkingnana wants to merge 1 commit into
apache:branch-4.1from
oldkingnana:learn/debug-stream-load-header-leak

Conversation

@oldkingnana

@oldkingnana oldkingnana commented Jun 28, 2026

Copy link
Copy Markdown

Mask Authorization, Proxy-Authorization, Auth-Token, and token values when rendering HTTP request headers for logs/debug strings.

中文:对 Stream Load HTTP 请求日志中的敏感 Header 做脱敏,避免 Authorization、Proxy-Authorization、Auth-Token 和 token 明文泄露。

What problem does this PR solve?

Issue Number: close #64514

Related PR: None

Problem Summary: Sensitive Stream Load HTTP headers may be exposed when request headers are rendered for logs or debug strings. This PR masks the values of Authorization, Proxy-Authorization, Auth-Token, and token to avoid leaking credentials in log/debug output.

Release note

None

Check List (For Author)

  • Test
    • Regression test
    • Unit Test
    • Manual test (add detailed scripts or steps below)
    • No need to test or manual test. Explain why:
      • This is a refactor/code format and no logic has been changed.
      • Previous test can cover this change.
      • No code files have been changed.
      • Other reason

Manual test:

./build-support/check-format.sh
./test/doris_be_test --gtest_filter=HttpRequestTest.*
  • Behavior changed:
    • No.
    • Yes.

Sensitive HTTP header values are now masked in request debug/log output. Non-sensitive headers are still rendered as before.

  • Does this need documentation?
    • No.
    • Yes.

Check List (For Reviewer who merge this PR)

  • Confirm the release note
  • Confirm test cases
  • Confirm document
  • Add branch pick label

@oldkingnana
fix: mask sensitive stream load headers
7c34908 
Mask Authorization, Proxy-Authorization, Auth-Token, and token values when rendering HTTP request headers for logs/debug strings.

中文:对 Stream Load HTTP 请求日志中的敏感 Header 做脱敏,避免 Authorization、Proxy-Authorization、Auth-Token 和 token 明文泄露。
@oldkingnana oldkingnana requested a review from yiguolei as a code owner June 28, 2026 09:05
@hello-stephen

hello-stephen commented Jun 28, 2026

Copy link
Copy Markdown
Contributor

Thank you for your contribution to Apache Doris.
Don't know what should be done next? See How to process your PR.

Please clearly describe your PR:

  1. What problem was fixed (it's best to include specific error reporting information). How it was fixed.
  2. Which behaviors were modified. What was the previous behavior, what is it now, why was it modified, and what possible impacts might there be.
  3. What features were added. Why was this function added?
  4. Which code was refactored and why was this part of the code refactored?
  5. Which functions were optimized and what is the difference before and after the optimization?

@oldkingnana

oldkingnana commented Jun 28, 2026

Copy link
Copy Markdown
Author

run buildall

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yiguolei yiguolei Awaiting requested review from yiguolei yiguolei is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@oldkingnana @hello-stephen