fix(HTTP Request Node): Sanitize authorization headers (#10607)

This commit is contained in:
Shireen Missi 2024-08-29 15:28:03 +01:00 committed by GitHub
parent c4eb3746d7
commit 405c55a1f7
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 80 additions and 0 deletions

View file

@ -88,7 +88,24 @@ export function sanitizeUiMessage(
),
};
}
const HEADER_BLOCKLIST = new Set([
'authorization',
'x-api-key',
'x-auth-token',
'cookie',
'proxy-authorization',
'sslclientcert',
]);
const headers = sendRequest.headers as IDataObject;
if (headers) {
for (const headerName of Object.keys(headers)) {
if (HEADER_BLOCKLIST.has(headerName.toLowerCase())) {
headers[headerName] = REDACTED;
}
}
}
if (secrets && secrets.length > 0) {
return redact(sendRequest, secrets);
}

View file

@ -136,5 +136,68 @@ describe('HTTP Node Utils', () => {
uri: 'https://example.com',
});
});
const headersToTest = [
'authorization',
'x-api-key',
'x-auth-token',
'cookie',
'proxy-authorization',
'sslclientcert',
];
headersToTest.forEach((header) => {
it(`should redact the ${header} header when the key is lowercase`, () => {
const requestOptions: IRequestOptions = {
method: 'POST',
uri: 'https://example.com',
body: { sessionToken: 'secret', other: 'foo' },
headers: { [header]: 'some-sensitive-token', other: 'foo' },
auth: { user: 'user', password: 'secret' },
};
const sanitizedRequest = sanitizeUiMessage(requestOptions, {});
expect(sanitizedRequest.headers).toEqual({ [header]: REDACTED, other: 'foo' });
});
it(`should redact the ${header} header when the key is uppercase`, () => {
const requestOptions: IRequestOptions = {
method: 'POST',
uri: 'https://example.com',
body: { sessionToken: 'secret', other: 'foo' },
headers: { [header.toUpperCase()]: 'some-sensitive-token', other: 'foo' },
auth: { user: 'user', password: 'secret' },
};
const sanitizedRequest = sanitizeUiMessage(requestOptions, {});
expect(sanitizedRequest.headers).toEqual({
[header.toUpperCase()]: REDACTED,
other: 'foo',
});
});
});
it('should leave headers unchanged if Authorization header is not present', () => {
const requestOptions: IRequestOptions = {
method: 'POST',
uri: 'https://example.com',
body: { sessionToken: 'secret', other: 'foo' },
headers: { other: 'foo' },
auth: { user: 'user', password: 'secret' },
};
const sanitizedRequest = sanitizeUiMessage(requestOptions, {});
expect(sanitizedRequest.headers).toEqual({ other: 'foo' });
});
it('should handle case when headers are undefined', () => {
const requestOptions: IRequestOptions = {};
const sanitizedRequest = sanitizeUiMessage(requestOptions, {});
expect(sanitizedRequest.headers).toBeUndefined();
});
});
});