fix: Redact SDK in gen_server descriptions and network errors.

Author: kinyoklion

src/ldclient_event_dispatch_httpc.erl

@@ -60,10 +60,10 @@ send(State, JsonEvents, PayloadId, Uri) ->
 
 -type http_request() :: {ok, {{string(), integer(), string()}, [{string(), string()}], string() | binary()}}.
 
--spec process_request({error, term()} | http_request()) 
+-spec process_request({error, term()} | http_request())
     -> {ok, integer()} | {error, temporary, string()} | {error, permanent, string()}.
 process_request({error, Reason}) ->
-    {error, temporary, Reason};
+    {error, temporary, ldclient_key_redaction:format_httpc_error(Reason)};
 process_request({ok, {{_Version, StatusCode, _ReasonPhrase}, Headers, _Body}}) when StatusCode < 400 ->
     {ok, get_server_time(Headers)};
 process_request({ok, {{Version, StatusCode, ReasonPhrase}, _Headers, _Body}}) ->

src/ldclient_event_process_server.erl

@@ -12,7 +12,7 @@
 -export([start_link/1, init/1]).
 
 %% Behavior callbacks
--export([code_change/3, handle_call/3, handle_cast/2, handle_info/2, terminate/2]).
+-export([code_change/3, handle_call/3, handle_cast/2, handle_info/2, terminate/2, format_status/1]).
 
 %% API
 -export([
@@ -152,6 +152,15 @@ terminate(_Reason, _State) ->
 code_change(_OldVsn, State, _Extra) ->
     {ok, State}.
 
+%% @doc Redact SDK key from state for logging
+%% @private
+%%
+%% @end
+format_status(#{state := State}) ->
+    #{state => State#{sdk_key => "[REDACTED]"}};
+format_status(Other) ->
+    Other.
+
 %%===================================================================
 %% Internal functions
 %%===================================================================

src/ldclient_key_redaction.erl

@@ -0,0 +1,101 @@
+%%-------------------------------------------------------------------
+%% @doc SDK key redaction utilities
+%% @private
+%% Provides functions to safely format error reasons and other data
+%% to prevent SDK keys from appearing in logs.
+%% @end
+%%-------------------------------------------------------------------
+
+-module(ldclient_key_redaction).
+
+%% API
+-export([format_httpc_error/1]).
+-export([format_shotgun_error/1]).
+
+%%===================================================================
+%% API
+%%===================================================================
+
+%% @doc Format httpc error for safe logging
+%%
+%% This function provides an abstract representation of httpc error reasons
+%% that is safe to log. It only formats known error types. Unknown
+%% error types are represented as "unknown_error" to prevent accidental
+%% exposure of SDK keys, especially in cases where the SDK key might
+%% contain special characters like newlines.
+%% @end
+-spec format_httpc_error(Reason :: term()) -> string().
+%% HTTP status codes or other integers are safe to log
+format_httpc_error(StatusCode) when is_integer(StatusCode) ->
+    lists:flatten(io_lib:format("~b", [StatusCode]));
+%% Common httpc connection errors
+format_httpc_error({failed_connect, _}) ->
+    "failed to connect";
+format_httpc_error(timeout) ->
+    "timeout";
+format_httpc_error(etimedout) ->
+    "connection timeout";
+format_httpc_error(econnrefused) ->
+    "connection refused";
+format_httpc_error(enetunreach) ->
+    "network unreachable";
+format_httpc_error(ehostunreach) ->
+    "host unreachable";
+format_httpc_error(nxdomain) ->
+    "domain name not found";
+format_httpc_error({tls_alert, {_, Description}}) when is_atom(Description) ->
+    lists:flatten(io_lib:format("tls_alert: ~p", [Description]));
+format_httpc_error({tls_alert, Alert}) ->
+    lists:flatten(io_lib:format("tls_alert: ~p", [Alert]));
+%% Socket errors
+format_httpc_error({socket_closed_remotely, _, _}) ->
+    "socket closed remotely";
+format_httpc_error(closed) ->
+    "connection closed";
+format_httpc_error(enotconn) ->
+    "socket not connected";
+%% Known atom errors
+format_httpc_error(Reason) when is_atom(Reason) ->
+    atom_to_list(Reason);
+%% For any unknown error type, do not expose details
+format_httpc_error(_Reason) ->
+    "unknown_error".
+
+%% @doc Format shotgun/gun error for safe logging
+%%
+%% This function provides an abstract representation of shotgun error reasons
+%% that is safe to log. Shotgun uses gun underneath, so errors can come from gun.
+%% Unknown error types are represented as "unknown_error".
+%% @end
+-spec format_shotgun_error(Reason :: term()) -> string().
+%% HTTP status codes or other integers are safe to log
+format_shotgun_error(StatusCode) when is_integer(StatusCode) ->
+    lists:flatten(io_lib:format("~b", [StatusCode]));
+%% Known shotgun errors from open
+format_shotgun_error(gun_open_failed) ->
+    "connection failed to open";
+format_shotgun_error(gun_open_timeout) ->
+    "timeout opening connection";
+%% Gun/socket errors
+format_shotgun_error(timeout) ->
+    "connection timeout";
+format_shotgun_error(econnrefused) ->
+    "connection refused";
+format_shotgun_error(enetunreach) ->
+    "network unreachable";
+format_shotgun_error(ehostunreach) ->
+    "host unreachable";
+format_shotgun_error(nxdomain) ->
+    "domain name not found";
+format_shotgun_error({shutdown, _}) ->
+    "connection shutdown";
+format_shotgun_error(normal) ->
+    "connection closed normally";
+format_shotgun_error(closed) ->
+    "connection closed";
+%% Known atom errors
+format_shotgun_error(Reason) when is_atom(Reason) ->
+    atom_to_list(Reason);
+%% For any unknown error type, do not expose details
+format_shotgun_error(_Reason) ->
+    "unknown error".

src/ldclient_update_poll_server.erl

@@ -12,7 +12,7 @@
 -export([start_link/1, init/1]).
 
 %% Behavior callbacks
--export([code_change/3, handle_call/3, handle_cast/2, handle_info/2, terminate/2]).
+-export([code_change/3, handle_call/3, handle_cast/2, handle_info/2, terminate/2, format_status/1]).
 
 -type state() :: #{
     sdk_key := string(),
@@ -107,6 +107,15 @@ terminate(_Reason, _State) ->
 code_change(_OldVsn, State, _Extra) ->
     {ok, State}.
 
+%% @doc Redact SDK key from state for logging
+%% @private
+%%
+%% @end
+format_status(#{state := State}) ->
+    #{state => State#{sdk_key => "[REDACTED]"}};
+format_status(Other) ->
+    Other.
+
 %%===================================================================
 %% Internal functions
 %%===================================================================

src/ldclient_update_stream_server.erl

@@ -92,7 +92,9 @@ handle_info({listen}, #{stream_uri := Uri} = State) ->
 handle_info({'DOWN', _Mref, process, ShotgunPid, Reason}, #{conn := ShotgunPid, backoff := Backoff} = State) ->
     NewBackoff = ldclient_backoff:fail(Backoff),
     _ = ldclient_backoff:fire(NewBackoff),
-    error_logger:warning_msg("Got DOWN message from shotgun pid with reason: ~p, will retry in ~p ms~n", [Reason, maps:get(current, NewBackoff)]),
+    % Reason from DOWN message could contain connection details with headers/SDK keys
+    SafeReason = ldclient_key_redaction:format_shotgun_error(Reason),
+    error_logger:warning_msg("Got DOWN message from shotgun pid with reason: ~s, will retry in ~p ms~n", [SafeReason, maps:get(current, NewBackoff)]),
     {noreply, State#{conn := undefined, backoff := NewBackoff}};
 handle_info({timeout, _TimerRef, listen}, State) ->
     error_logger:info_msg("Reconnecting streaming connection...~n"),
@@ -132,13 +134,16 @@ do_listen(#{
             NewBackoff = do_listen_fail_backoff(Backoff, temporary, Reason),
             State#{backoff := NewBackoff};
         {error, permanent, Reason} ->
+            % Reason here is already safe: either a sanitized string from format_shotgun_error
+            % or an integer status code from the do_listen/5 method.
             error_logger:error_msg("Stream encountered permanent error ~p, giving up~n", [Reason]),
             State;
         {ok, Pid} ->
             NewBackoff = ldclient_backoff:succeed(Backoff),
             State#{conn := Pid, backoff := NewBackoff}
-        catch Code:Reason ->
-            NewBackoff = do_listen_fail_backoff(Backoff, Code, Reason),
+        catch Code:_Reason ->
+            % Don't pass raw exception reason as it could contain unsafe data
+            NewBackoff = do_listen_fail_backoff(Backoff, Code, "unexpected exception"),
             State#{backoff := NewBackoff}
     end.
 
@@ -171,9 +176,10 @@ do_listen(Uri, FeatureStore, Tag, GunOpts, Headers) ->
             F = fun(nofin, _Ref, Bin) ->
                     try
                         process_event(parse_shotgun_event(Bin), FeatureStore, Tag)
-                    catch Code:Reason ->
-                        % Exception when processing event, log error, close connection
-                        error_logger:warning_msg("Invalid SSE event error (~p): ~p", [Code, Reason]),
+                    catch Code:_Reason ->
+                        % Exception when processing event - don't log exception details
+                        % as they could theoretically contain sensitive data
+                        error_logger:warning_msg("Invalid SSE event error (~p)", [Code]),
                         shotgun:close(Pid)
                     end;
                 (fin, _Ref, _Bin) ->
@@ -185,7 +191,8 @@ do_listen(Uri, FeatureStore, Tag, GunOpts, Headers) ->
             case shotgun:get(Pid, Path ++ Query, Headers, Options) of
                 {error, Reason} ->
                     shotgun:close(Pid),
-                    {error, temporary, Reason};
+                    SafeReason = ldclient_key_redaction:format_shotgun_error(Reason),
+                    {error, temporary, SafeReason};
                 {ok, #{status_code := StatusCode}} when StatusCode >= 400 ->
                     {error, ldclient_http:is_http_error_code_recoverable(StatusCode), StatusCode};
                 {ok, _Ref} ->

test/ldclient_key_redaction_SUITE.erl

@@ -0,0 +1,85 @@
+-module(ldclient_key_redaction_SUITE).
+
+-include_lib("common_test/include/ct.hrl").
+
+%% ct functions
+-export([all/0]).
+-export([init_per_suite/1]).
+-export([end_per_suite/1]).
+
+%% Tests
+-export([
+    format_httpc_error_atom/1,
+    format_httpc_error_integer/1,
+    format_httpc_error_tuple/1,
+    format_httpc_error_unknown/1,
+    format_shotgun_error_atom/1,
+    format_shotgun_error_integer/1,
+    format_shotgun_error_unknown/1
+]).
+
+%%====================================================================
+%% ct functions
+%%====================================================================
+
+all() ->
+    [
+        format_httpc_error_atom,
+        format_httpc_error_integer,
+        format_httpc_error_tuple,
+        format_httpc_error_unknown,
+        format_shotgun_error_atom,
+        format_shotgun_error_integer,
+        format_shotgun_error_unknown
+    ].
+
+init_per_suite(Config) ->
+    Config.
+
+end_per_suite(_) ->
+    ok.
+
+%%====================================================================
+%% Tests
+%%====================================================================
+
+format_httpc_error_atom(_) ->
+    % Known atom errors should be formatted safely
+    "timeout" = ldclient_key_redaction:format_httpc_error(timeout),
+    "connection refused" = ldclient_key_redaction:format_httpc_error(econnrefused),
+    "connection timeout" = ldclient_key_redaction:format_httpc_error(etimedout).
+
+format_httpc_error_integer(_) ->
+    % HTTP status codes should be formatted as integers
+    "404" = ldclient_key_redaction:format_httpc_error(404),
+    "500" = ldclient_key_redaction:format_httpc_error(500),
+    "200" = ldclient_key_redaction:format_httpc_error(200).
+
+format_httpc_error_tuple(_) ->
+    % Known tuple errors should be formatted safely
+    "failed to connect" = ldclient_key_redaction:format_httpc_error({failed_connect, []}),
+    "connection closed" = ldclient_key_redaction:format_httpc_error(closed).
+
+format_httpc_error_unknown(_) ->
+    % Unknown error types, including those that might contain SDK keys, should be redacted
+    "unknown_error" = ldclient_key_redaction:format_httpc_error({http_error, "sdk-12345"}),
+    "unknown_error" = ldclient_key_redaction:format_httpc_error(["Authorization: sdk-test\n"]),
+    "unknown_error" = ldclient_key_redaction:format_httpc_error({request, [{headers, [{"Authorization", "sdk-key-with-newline\n"}]}]}).
+
+format_shotgun_error_atom(_) ->
+    % Known atom errors should be formatted safely
+    "timeout" = ldclient_key_redaction:format_shotgun_error(timeout),
+    "gun_open_failed" = ldclient_key_redaction:format_shotgun_error(gun_open_failed),
+    "gun_open_timeout" = ldclient_key_redaction:format_shotgun_error(gun_open_timeout),
+    "connection refused" = ldclient_key_redaction:format_shotgun_error(econnrefused).
+
+format_shotgun_error_integer(_) ->
+    % HTTP status codes should be formatted as integers
+    "401" = ldclient_key_redaction:format_shotgun_error(401),
+    "500" = ldclient_key_redaction:format_shotgun_error(500).
+
+format_shotgun_error_unknown(_) ->
+    % Unknown error types, including those that might contain SDK keys, should be redacted
+    "unknown_error" = ldclient_key_redaction:format_shotgun_error({gun_error, "sdk-12345"}),
+    "unknown_error" = ldclient_key_redaction:format_shotgun_error(["Headers: sdk-test\n"]),
+    "unknown_error" = ldclient_key_redaction:format_shotgun_error({connection_error, [{auth, "sdk-malformed\nkey"}]}).