AlinsRan opened a new pull request, #13205: URL: https://github.com/apache/apisix/pull/13205
## Summary Remove debug `core.log.info` statements that exposed sensitive credentials in nginx error logs at info level. ### Vulnerabilities Fixed - **`sls-logger.lua`**: The `rf5424_data` string (containing `access-key-secret`) was logged in `combine_syslog()` and `_M.log()` on each log flush. - **`hmac-auth.lua`**: Canonical header names and values (which may include `Authorization` and `Cookie` headers) were logged during HMAC signature generation. - **`tcp-logger.lua`** / **`udp-logger.lua`**: The full serialized `log_message` payload (containing all request headers and body) was logged before each send. ### Changes **Plugin fixes** (`apisix/plugins/`): - Remove 8 `core.log.info` lines across 4 plugin files (`sls-logger.lua`, `hmac-auth.lua`, `tcp-logger.lua`, `udp-logger.lua`). **Regression tests** (`t/plugin/`): - `sls-logger.t`: Add `extra_init_by_lua` hook on `batch_processor_manager.add_entry_to_new_processor` to print `entry.data` (the raw RFC5424-encoded string) to the error log. Existing TEST 14 and TEST 15 `--- error_log` assertions continue to verify that request/response body is captured and forwarded correctly. - `tcp-logger.t` / `udp-logger.t`: Same hook pattern using `core.json.encode(entry)`. Existing TEST 16/17 and TEST 13/14 `--- error_log` assertions continue to verify body collection works end-to-end. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
