filteredExpvarHandler serves /debug/vars but omits the "cmdline" key that expvar publishes by default (os.Args), which may contain the admin token from --security "token=...".
(w http.ResponseWriter, r *http.Request)
| 99 | // expvar publishes by default (os.Args), which may contain the admin token |
| 100 | // from --security "token=...". |
| 101 | func filteredExpvarHandler(w http.ResponseWriter, r *http.Request) { |
| 102 | w.Header().Set("Content-Type", "application/json; charset=utf-8") |
| 103 | fmt.Fprintf(w, "{\n") |
| 104 | first := true |
| 105 | expvar.Do(func(kv expvar.KeyValue) { |
| 106 | if kv.Key == "cmdline" { |
| 107 | return |
| 108 | } |
| 109 | if !first { |
| 110 | fmt.Fprintf(w, ",\n") |
| 111 | } |
| 112 | first = false |
| 113 | fmt.Fprintf(w, "%q: %s", kv.Key, kv.Value) |
| 114 | }) |
| 115 | fmt.Fprintf(w, "\n}\n") |
| 116 | } |
| 117 | |
| 118 | // SanitizedDefaultServeMux returns an http.Handler that wraps |
| 119 | // http.DefaultServeMux but blocks endpoints that expose the full process |
no test coverage detected