Issue Details
The hash action of the query log filter produces the same hash for different query parameter values.
I reproduced this behavior against:
- Caddy v2.11.4 (
e2eee6a7fce366321294c9c2a79f3146891dcbdf)
- Current
master (873fac5fc094fe538d0c477509127bb321d51a32)
Both checkouts were unmodified.
Minimal reproduction
Caddyfile:
{
auto_https off
}
:8080 {
log {
format filter {
wrap json
fields {
request>uri query {
hash request_token
}
}
}
}
respond "ok"
}
Start Caddy and make two requests with different, non-sensitive test values:
curl 'http://localhost:8080/?request_token=alpha'
curl 'http://localhost:8080/?request_token=beta'
Actual behavior
Both requests are logged with the same value:
/?request_token=e3b0c442
/?request_token=e3b0c442
e3b0c442 is the first four bytes of the SHA-256 digest of an empty string.
Expected behavior
Each query parameter value should be hashed individually, as described in the logging documentation. For these test values, the first four bytes of their SHA-256 digests are:
alpha -> 8ed3f6ad
beta -> f44e64e7
The logged URIs should therefore contain different, stable hashes.
Cause
QueryFilter.processQueryString currently passes the action's configured replacement value to hash:
case hashAction:
for i := range q[a.Parameter] {
q[a.Parameter][i] = hash(a.Value)
}
A hash action does not populate a.Value, so this hashes an empty string for every query parameter value.
The query value at the current index appears to be the intended input:
q[a.Parameter][i] = hash(q[a.Parameter][i])
The cookie filter already hashes the actual cookie value, so this would also make the two filters consistent.
I searched existing issues, pull requests, and commits for QueryFilter, e3b0c442, query filter hash, and hash(a.Value), but did not find an existing report. The closest related pull requests are #4424 and #4434.
Assistance Disclosure
AI used
If AI was used, describe the extent to which it was used.
The issue was initially identified with assistance from OpenAI Codex (GPT-5) while reviewing a downstream Caddy configuration. I independently reproduced the behavior against unmodified v2.11.4 and current master checkouts, inspected the relevant implementation, verified the SHA-256 results, and searched for existing reports. AI assisted with the initial analysis and wording; I reviewed and understand the report.
Issue Details
The
hashaction of the query log filter produces the same hash for different query parameter values.I reproduced this behavior against:
e2eee6a7fce366321294c9c2a79f3146891dcbdf)master(873fac5fc094fe538d0c477509127bb321d51a32)Both checkouts were unmodified.
Minimal reproduction
Caddyfile:
{ auto_https off } :8080 { log { format filter { wrap json fields { request>uri query { hash request_token } } } } respond "ok" }Start Caddy and make two requests with different, non-sensitive test values:
Actual behavior
Both requests are logged with the same value:
e3b0c442is the first four bytes of the SHA-256 digest of an empty string.Expected behavior
Each query parameter value should be hashed individually, as described in the logging documentation. For these test values, the first four bytes of their SHA-256 digests are:
The logged URIs should therefore contain different, stable hashes.
Cause
QueryFilter.processQueryStringcurrently passes the action's configured replacement value tohash:A hash action does not populate
a.Value, so this hashes an empty string for every query parameter value.The query value at the current index appears to be the intended input:
The cookie filter already hashes the actual cookie value, so this would also make the two filters consistent.
I searched existing issues, pull requests, and commits for
QueryFilter,e3b0c442,query filter hash, andhash(a.Value), but did not find an existing report. The closest related pull requests are #4424 and #4434.Assistance Disclosure
AI used
If AI was used, describe the extent to which it was used.
The issue was initially identified with assistance from OpenAI Codex (GPT-5) while reviewing a downstream Caddy configuration. I independently reproduced the behavior against unmodified v2.11.4 and current master checkouts, inspected the relevant implementation, verified the SHA-256 results, and searched for existing reports. AI assisted with the initial analysis and wording; I reviewed and understand the report.