Skip to content

[CRED-2625] Redact Authorization (Bearer) header in sanitize_request_header#3340

Draft
luczhou wants to merge 1 commit into
masterfrom
lucinda.zhou/CRED-2625/redact-authorization-header
Draft

[CRED-2625] Redact Authorization (Bearer) header in sanitize_request_header#3340
luczhou wants to merge 1 commit into
masterfrom
lucinda.zhou/CRED-2625/redact-authorization-header

Conversation

@luczhou
Copy link
Copy Markdown

@luczhou luczhou commented May 15, 2026

Description

api_client.rb's debug-log path (lib/datadog_api_client/api_client.rb:155-164, called from line 211) runs request headers through sanitize_request_header before @config.logger.debug to mask DD-API-KEY and DD-APPLICATION-KEY values. The Authorization header set from Bearer-token auth (delegated tokens, PATs) is missing from the keys_to_redact list and gets logged verbatim — any caller running with debug logging and access-token auth leaks the bearer to the global logger.

Surfaced cross-language by terraform-provider-datadog#3757, which is the first Terraform code path to set the equivalent ContextAccessToken in the Go SDK. The same gap exists here in Ruby.

Tracking ticket: CRED-2625.

Changes

  • .generator/src/generator/templates/api_client.j2:146: add "Authorization" as a third entry in keys_to_redact.
  • lib/datadog_api_client/api_client.rb: mirror the same edit in the generated file so the diff matches what the next regen produces.
  • spec/api_client_spec.rb: new #sanitize_request_header describe block — drives the method directly with all three credential headers plus a non-credential header, asserts each credential becomes "REDACTED", the non-credential header passes through unchanged, and the input hash is not mutated.

Cross-language

Related work tracked under CRED-2625:

  • datadog-api-client-go PR #4098 — same fix shape (redact ContextAccessToken in CallAPI debug dump).
  • datadog-api-client-typescript PR #4168 — same fix shape (add Authorization to allowlist in isomorphic-fetch.ts:logRequest).
  • datadog-api-client-java GH issue (forthcoming) — wider gap. Jersey LoggingFeature.PAYLOAD_ANY has no header redaction at all, so api/app keys and bearer leak there.
  • datadog-api-client-python — no equivalent gap (no request-header logging in rest.j2).

Testing

  • bundle exec rspec spec/api_client_spec.rb -e "sanitize_request_header" passes
  • Full bundle exec rspec spec/api_client_spec.rb (run by CI)

🤖 Generated with Claude Code

@luczhou @claude
Redact Authorization (Bearer) header in sanitize_request_header
4a37362 
api_client.rb's debug log path calls sanitize_request_header before
@config.logger.debug to mask DD-API-KEY and DD-APPLICATION-KEY values.
The Authorization header set from Bearer-token auth (delegated tokens,
PATs) is missing from the keys_to_redact list and gets logged verbatim
— any caller running with debug logging and access-token auth leaks
the bearer to the global logger.

Surfaced cross-language by terraform-provider-datadog#3757, which is
the first Terraform code path to set the equivalent ContextAccessToken
in the Go SDK. The same gap exists here in Ruby.

Add "Authorization" as a third entry in keys_to_redact. Apply the
change to both the .j2 template and the generated api_client.rb so
the file matches what the next regen produces.

Test (spec/api_client_spec.rb #sanitize_request_header) drives the
method directly with all three credential headers plus a non-credential
header set, asserts each credential becomes "REDACTED", the non-
credential header passes through unchanged, and the input hash is not
mutated.

Refs: CRED-2625, terraform-provider-datadog#3757

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@luczhou luczhou mentioned this pull request May 15, 2026
Draft
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@luczhou