Redact sensitive headers in HTTP request/response logs

[mirackayikci]

When --debug-req/--debug-resp is enabled, httputil.DumpRequestOut includes the X-PDCP-Key authentication header in plaintext, which can leak the API key into CI logs or shared terminal output. This PR masks the key value in debug request/response dumps while keeping the rest intact for debugging

Summary by CodeRabbit

• Bug Fixes
  • Improved debug HTTP logging so sensitive credential header values are no longer shown in plain text.
  • Redacted API key details from request/response dumps to reduce the risk of leaking secrets in logs.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Debug HTTP request and response dumps in cmd/vulnx/clis/common.go now run through a redaction helper before logging. The helper replaces X-Api-Key header values with [REDACTED] using a case-insensitive regex.

Changes

Sensitive header redaction in debug logging

Layer / File(s)	Summary
Redaction helper and debug callbacks cmd/vulnx/clis/common.go	Adds a redaction helper for X-Api-Key values and applies it to both debug HTTP request and response dump log paths.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• Redact sensitive headers (X-PDCP-Key) in debug HTTP request/response dumps #473 — This change redacts sensitive auth header values in debug HTTP dumps through redactSensitiveHeaders.

Poem

A rabbit hopped by the loggy stream,
Nibbled on carrots and kept things clean.
“No secret keys shall leak tonight—
I tucked them safely out of sight! 🐰”

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 75.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: redacting sensitive headers from HTTP request/response debug logs.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/vulnx/clis/common.go`:
- Around line 1047-1051: Move the redactSensitiveHeaders() function from
cmd/vulnx/clis/common.go to a shared location in pkg/service/vulnx.go, export it
by capitalizing the first letter to make it RedactSensitiveHeaders(), and then
apply this exported function to redact the req.Dump() output before logging it
in the doRequest() function. This ensures the X-PDCP-Key header and other
sensitive information are masked across all debug logging paths, not just in the
CLI callbacks.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 275d4d04-c47e-424f-b8f2-b60abd863a8c

📥 Commits

Reviewing files that changed from the base of the PR and between f9198cc and 64b4fb0.

📒 Files selected for processing (1)

• cmd/vulnx/clis/common.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/service/vulnx.go`:
- Line 209: The debug request dump is currently using gologger.Print().Msgf()
instead of the appropriate debug log level. Replace gologger.Print().Msgf() with
gologger.Debug().Msgf() in the redactSensitiveHeaders call to maintain
consistency with coding guidelines and ensure debug logs are properly filterable
by log level.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 60cfd372-9737-44db-8e31-770ed494c146

📥 Commits

Reviewing files that changed from the base of the PR and between 64b4fb0 and 9f7609f.

📒 Files selected for processing (1)

• pkg/service/vulnx.go

[coderabbitai]

🧹 Nitpick comments (1)

pkg/service/vulnx.go (1)

230-232: ⚡ Quick win

Build the redaction pattern from xPDCPHeaderKey.

The request code sets auth headers via xPDCPHeaderKey, but the redactor hard-codes the same string. Tie the regex to the constant so future header-name changes cannot silently bypass redaction.

As per coding guidelines, "Define constants at package level when used across functions".

Proposed fix

 func redactSensitiveHeaders(dump []byte) string {
-	re := regexp.MustCompile(`(?i)(X-PDCP-Key:\s*).*`)
+	re := regexp.MustCompile(`(?i)(` + regexp.QuoteMeta(xPDCPHeaderKey) + `:\s*).*`)
 	return re.ReplaceAllString(string(dump), "${1}[REDACTED]")
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/service/vulnx.go` around lines 230 - 232, In the redactSensitiveHeaders
function, replace the hard-coded header name "X-PDCP-Key:" in the regex pattern
with the xPDCPHeaderKey constant. Build the regex pattern dynamically using the
constant value (e.g., fmt.Sprintf or string concatenation) so that the redaction
pattern automatically stays in sync with the xPDCPHeaderKey constant definition,
preventing silent bypass of redaction if the header name is ever changed.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@pkg/service/vulnx.go`:
- Around line 230-232: In the redactSensitiveHeaders function, replace the
hard-coded header name "X-PDCP-Key:" in the regex pattern with the
xPDCPHeaderKey constant. Build the regex pattern dynamically using the constant
value (e.g., fmt.Sprintf or string concatenation) so that the redaction pattern
automatically stays in sync with the xPDCPHeaderKey constant definition,
preventing silent bypass of redaction if the header name is ever changed.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 94a78e6c-5eb3-4bfc-97ae-60bbde024ab4

📥 Commits

Reviewing files that changed from the base of the PR and between 9f7609f and e418e67.

📒 Files selected for processing (1)

• pkg/service/vulnx.go

[dogancanbakir]

@mirackayikci merge conflict

[dogancanbakir]

@coderabbitai create an issue to track this pr

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

gh issue create \
  --repo "projectdiscovery/vulnx" \
  --title "Redact sensitive headers (X-PDCP-Key) in debug HTTP request/response dumps" \
  --assignee "dogancanbakir" \
  --body "## Summary

This issue tracks the work introduced in PR `#469` to prevent leaking the \`X-PDCP-Key\` authentication header in debug logs.

## Problem

When the \`--debug-req\` or \`--debug-resp\` flags are enabled, \`httputil.DumpRequestOut\` exposes the \`X-PDCP-Key\` authentication header in plaintext. This can leak the API key into CI logs or shared terminal output, creating a security risk.

## Proposed Solution

Implement a \`redactSensitiveHeaders\` helper function that uses a case-insensitive regular expression to replace the value of the \`X-PDCP-Key\` header with \`[REDACTED]\` in HTTP request/response dumps before they are emitted to debug logs.

## Affected Files

- \`cmd/vulnx/clis/common.go\` — sanitize dumps in \`ensureVulnxClientInitialized\`
- \`pkg/service/vulnx.go\` — sanitize dumps in \`doRequest\`

## Acceptance Criteria

- [ ] The \`X-PDCP-Key\` header value is replaced with \`[REDACTED]\` in all debug log output.
- [ ] All other debug information (headers, body, etc.) remains intact.
- [ ] A dedicated constant (\`xPDCPHeaderKey\`) is used in the regex pattern to avoid hardcoded strings.
- [ ] No regression in existing debug functionality.

## References

- PR: `#469`
- Requested by: `@dogancanbakir`"

Length of output: 1642

---

---

@dogancanbakir: Done! I've created issue #473 to track this PR — #473

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/vulnx/clis/common.go`:
- Around line 1047-1050: The redaction logic in redactSensitiveHeaders only
matches X-Api-Key, so debug dumps can still expose X-PDCP-Key credentials.
Update sensitiveHeaderRe in common.go to cover both header names and keep
redactSensitiveHeaders using that shared pattern so any dump containing either
header is replaced with [REDACTED].

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f5dca276-6b11-447a-b31b-53a73216e5cd

📥 Commits

Reviewing files that changed from the base of the PR and between c50872c and 5a4ed0f.

📒 Files selected for processing (1)

• cmd/vulnx/clis/common.go