From 405c55a1f7cf34e7b6e46a86031ef9a41956ca78 Mon Sep 17 00:00:00 2001 From: Shireen Missi <94372015+ShireenMissi@users.noreply.github.com> Date: Thu, 29 Aug 2024 15:28:03 +0100 Subject: [PATCH] fix(HTTP Request Node): Sanitize authorization headers (#10607) --- .../nodes/HttpRequest/GenericFunctions.ts | 17 +++++ .../HttpRequest/test/utils/utils.test.ts | 63 +++++++++++++++++++ 2 files changed, 80 insertions(+) diff --git a/packages/nodes-base/nodes/HttpRequest/GenericFunctions.ts b/packages/nodes-base/nodes/HttpRequest/GenericFunctions.ts index a6994be255..07d25b8b49 100644 --- a/packages/nodes-base/nodes/HttpRequest/GenericFunctions.ts +++ b/packages/nodes-base/nodes/HttpRequest/GenericFunctions.ts @@ -88,7 +88,24 @@ export function sanitizeUiMessage( ), }; } + const HEADER_BLOCKLIST = new Set([ + 'authorization', + 'x-api-key', + 'x-auth-token', + 'cookie', + 'proxy-authorization', + 'sslclientcert', + ]); + const headers = sendRequest.headers as IDataObject; + + if (headers) { + for (const headerName of Object.keys(headers)) { + if (HEADER_BLOCKLIST.has(headerName.toLowerCase())) { + headers[headerName] = REDACTED; + } + } + } if (secrets && secrets.length > 0) { return redact(sendRequest, secrets); } diff --git a/packages/nodes-base/nodes/HttpRequest/test/utils/utils.test.ts b/packages/nodes-base/nodes/HttpRequest/test/utils/utils.test.ts index b3e9d5fbd7..0ad0bf35d1 100644 --- a/packages/nodes-base/nodes/HttpRequest/test/utils/utils.test.ts +++ b/packages/nodes-base/nodes/HttpRequest/test/utils/utils.test.ts @@ -136,5 +136,68 @@ describe('HTTP Node Utils', () => { uri: 'https://example.com', }); }); + + const headersToTest = [ + 'authorization', + 'x-api-key', + 'x-auth-token', + 'cookie', + 'proxy-authorization', + 'sslclientcert', + ]; + + headersToTest.forEach((header) => { + it(`should redact the ${header} header when the key is lowercase`, () => { + const requestOptions: IRequestOptions = { + method: 'POST', + uri: 'https://example.com', + body: { sessionToken: 'secret', other: 'foo' }, + headers: { [header]: 'some-sensitive-token', other: 'foo' }, + auth: { user: 'user', password: 'secret' }, + }; + + const sanitizedRequest = sanitizeUiMessage(requestOptions, {}); + + expect(sanitizedRequest.headers).toEqual({ [header]: REDACTED, other: 'foo' }); + }); + + it(`should redact the ${header} header when the key is uppercase`, () => { + const requestOptions: IRequestOptions = { + method: 'POST', + uri: 'https://example.com', + body: { sessionToken: 'secret', other: 'foo' }, + headers: { [header.toUpperCase()]: 'some-sensitive-token', other: 'foo' }, + auth: { user: 'user', password: 'secret' }, + }; + + const sanitizedRequest = sanitizeUiMessage(requestOptions, {}); + + expect(sanitizedRequest.headers).toEqual({ + [header.toUpperCase()]: REDACTED, + other: 'foo', + }); + }); + }); + + it('should leave headers unchanged if Authorization header is not present', () => { + const requestOptions: IRequestOptions = { + method: 'POST', + uri: 'https://example.com', + body: { sessionToken: 'secret', other: 'foo' }, + headers: { other: 'foo' }, + auth: { user: 'user', password: 'secret' }, + }; + const sanitizedRequest = sanitizeUiMessage(requestOptions, {}); + + expect(sanitizedRequest.headers).toEqual({ other: 'foo' }); + }); + + it('should handle case when headers are undefined', () => { + const requestOptions: IRequestOptions = {}; + + const sanitizedRequest = sanitizeUiMessage(requestOptions, {}); + + expect(sanitizedRequest.headers).toBeUndefined(); + }); }); });