fix(HTTP Request Node): Sanitize secrets of predefined credentials (#9612)

2024-09-19 22:37:31 -07:00 · 2024-06-05 09:25:39 +02:00 · 2024-06-05 09:25:39 +02:00 · 84f091d3e5
parent 5361e9f69a
commit 84f091d3e5
5 changed files with 222 additions and 71 deletions
--- a/packages/core/src/NodeExecuteFunctions.ts
+++ b/packages/core/src/NodeExecuteFunctions.ts
@ -2844,7 +2844,8 @@ const getCommonWorkflowFunctions = (
 	getInstanceBaseUrl: () => additionalData.instanceBaseUrl,
 	getInstanceId: () => Container.get(InstanceSettings).instanceId,
 	getTimezone: () => getTimezone(workflow),
-
+	getCredentialsProperties: (type: string) =>
+		additionalData.credentialsHelper.getCredentialsProperties(type),
 	prepareOutputData: async (outputData) => [outputData],
 });

--- a/packages/nodes-base/nodes/HttpRequest/GenericFunctions.ts
+++ b/packages/nodes-base/nodes/HttpRequest/GenericFunctions.ts
@ -1,16 +1,20 @@
 import type { SecureContextOptions } from 'tls';
 import type {
+	ICredentialDataDecryptedObject,
 	IDataObject,
 	INodeExecutionData,
+	INodeProperties,
 	IOAuth2Options,
 	IRequestOptions,
 } from 'n8n-workflow';

 import set from 'lodash/set';
+import isPlainObject from 'lodash/isPlainObject';

 import FormData from 'form-data';
-import type { HttpSslAuthCredentials } from './interfaces';
 import { formatPrivateKey } from '../../utils/utilities';
+import type { HttpSslAuthCredentials } from './interfaces';
+import get from 'lodash/get';

 export type BodyParameter = {
 	name: string;
@ -29,7 +33,33 @@ export const replaceNullValues = (item: INodeExecutionData) => {
 	return item;
 };

-export function sanitizeUiMessage(request: IRequestOptions, authDataKeys: IAuthDataSanitizeKeys) {
+export const REDACTED = '**hidden**';
+
+function isObject(obj: unknown): obj is IDataObject {
+	return isPlainObject(obj);
+}
+
+function redact<T = unknown>(obj: T, secrets: string[]): T {
+	if (typeof obj === 'string') {
+		return secrets.reduce((safe, secret) => safe.replace(secret, REDACTED), obj) as T;
+	}
+
+	if (Array.isArray(obj)) {
+		return obj.map((item) => redact(item, secrets)) as T;
+	} else if (isObject(obj)) {
+		for (const [key, value] of Object.entries(obj)) {
+			(obj as IDataObject)[key] = redact(value, secrets);
+		}
+	}
+
+	return obj;
+}
+
+export function sanitizeUiMessage(
+	request: IRequestOptions,
+	authDataKeys: IAuthDataSanitizeKeys,
+	secrets?: string[],
+) {
 	let sendRequest = request as unknown as IDataObject;

 	// Protect browser from sending large binary data
@ -38,7 +68,7 @@ export function sanitizeUiMessage(request: IRequestOptions, authDataKeys: IAuthD
 			...request,
 			body: `Binary data got replaced with this text. Original was a Buffer with a size of ${
 				(request.body as string).length
-			} byte.`,
+			} bytes.`,
 		};
 	}

@ -50,7 +80,7 @@ export function sanitizeUiMessage(request: IRequestOptions, authDataKeys: IAuthD
 				// eslint-disable-next-line @typescript-eslint/no-loop-func
 				(acc: IDataObject, curr) => {
 					acc[curr] = authDataKeys[requestProperty].includes(curr)
-						? '** hidden **'
+						? REDACTED
 						: (sendRequest[requestProperty] as IDataObject)[curr];
 					return acc;
 				},
@ -59,9 +89,33 @@ export function sanitizeUiMessage(request: IRequestOptions, authDataKeys: IAuthD
 		};
 	}

+	if (secrets && secrets.length > 0) {
+		return redact(sendRequest, secrets);
+	}
+
 	return sendRequest;
 }

+export function getSecrets(
+	properties: INodeProperties[],
+	credentials: ICredentialDataDecryptedObject,
+): string[] {
+	const sensitivePropNames = new Set(
+		properties.filter((prop) => prop.typeOptions?.password).map((prop) => prop.name),
+	);
+
+	const secrets = Object.entries(credentials)
+		.filter(([propName]) => sensitivePropNames.has(propName))
+		.map(([_, value]) => value)
+		.filter((value): value is string => typeof value === 'string');
+	const oauthAccessToken = get(credentials, 'oauthTokenData.access_token');
+	if (typeof oauthAccessToken === 'string') {
+		secrets.push(oauthAccessToken);
+	}
+
+	return secrets;
+}
+
 export const getOAuth2AdditionalParameters = (nodeCredentialType: string) => {
 	const oAuth2Options: { [credentialType: string]: IOAuth2Options } = {
 		bitlyOAuth2Api: {
--- a/packages/nodes-base/nodes/HttpRequest/V3/HttpRequestV3.node.ts
+++ b/packages/nodes-base/nodes/HttpRequest/V3/HttpRequestV3.node.ts
@ -29,14 +29,15 @@ import type { BodyParameter, IAuthDataSanitizeKeys } from '../GenericFunctions';
 import {
 	binaryContentTypes,
 	getOAuth2AdditionalParameters,
+	getSecrets,
 	prepareRequestBody,
 	reduceAsync,
 	replaceNullValues,
 	sanitizeUiMessage,
 	setAgentOptions,
 } from '../GenericFunctions';
-import { keysToLowercase } from '@utils/utilities';
 import type { HttpSslAuthCredentials } from '../interfaces';
+import { keysToLowercase } from '@utils/utilities';

 function toText<T>(data: T) {
 	if (typeof data === 'object' && data !== null) {
@ -1299,7 +1300,12 @@ export class HttpRequestV3 implements INodeType {
 			requestInterval: number;
 		};

-		const sanitazedRequests: IDataObject[] = [];
+		const requests: Array<{
+			options: IRequestOptions;
+			authKeys: IAuthDataSanitizeKeys;
+			credentialType?: string;
+		}> = [];
+
 		for (let itemIndex = 0; itemIndex < items.length; itemIndex++) {
 			if (authentication === 'genericCredentialType') {
 				genericCredentialType = this.getNodeParameter('genericAuthType', 0) as string;
@ -1696,11 +1702,11 @@ export class HttpRequestV3 implements INodeType {
 				}
 			}

-			try {
-				const sanitazedRequestOptions = sanitizeUiMessage(requestOptions, authDataKeys);
-				this.sendMessageToUI(sanitazedRequestOptions);
-				sanitazedRequests.push(sanitazedRequestOptions);
-			} catch (e) {}
+			requests.push({
+				options: requestOptions,
+				authKeys: authDataKeys,
+				credentialType: nodeCredentialType,
+			});

 			if (pagination && pagination.paginationMode !== 'off') {
 				let continueExpression = '={{false}}';
@ -1827,7 +1833,29 @@ export class HttpRequestV3 implements INodeType {
 				requestPromises.push(requestWithAuthentication);
 			}
 		}
-		const promisesResponses = await Promise.allSettled(requestPromises);
+
+		const sanitizedRequests: IDataObject[] = [];
+		const promisesResponses = await Promise.allSettled(
+			requestPromises.map(
+				async (requestPromise, itemIndex) =>
+					await requestPromise.finally(async () => {
+						try {
+							// Secrets need to be read after the request because secrets could have changed
+							// For example: OAuth token refresh, preAuthentication
+							const { options, authKeys, credentialType } = requests[itemIndex];
+							let secrets: string[] = [];
+							if (credentialType) {
+								const properties = this.getCredentialsProperties(credentialType);
+								const credentials = await this.getCredentials(credentialType, itemIndex);
+								secrets = getSecrets(properties, credentials);
+							}
+							const sanitizedRequestOptions = sanitizeUiMessage(options, authKeys, secrets);
+							sanitizedRequests.push(sanitizedRequestOptions);
+							this.sendMessageToUI(sanitizedRequestOptions);
+						} catch (e) {}
+					}),
+			),
+		);

 		let responseData: any;
 		for (let itemIndex = 0; itemIndex < items.length; itemIndex++) {
@ -1842,7 +1870,7 @@ export class HttpRequestV3 implements INodeType {
 						responseData.reason.error = Buffer.from(responseData.reason.error as Buffer).toString();
 					}
 					const error = new NodeApiError(this.getNode(), responseData as JsonObject, { itemIndex });
-					set(error, 'context.request', sanitazedRequests[itemIndex]);
+					set(error, 'context.request', sanitizedRequests[itemIndex]);
 					throw error;
 				} else {
 					removeCircularRefs(responseData.reason as JsonObject);
--- a/packages/nodes-base/nodes/HttpRequest/test/utils/utils.test.ts
+++ b/packages/nodes-base/nodes/HttpRequest/test/utils/utils.test.ts
@ -1,8 +1,14 @@
 import type { IRequestOptions } from 'n8n-workflow';
-import { prepareRequestBody, setAgentOptions } from '../../GenericFunctions';
+import {
+	REDACTED,
+	prepareRequestBody,
+	sanitizeUiMessage,
+	setAgentOptions,
+} from '../../GenericFunctions';
 import type { BodyParameter, BodyParametersReducer } from '../../GenericFunctions';

-describe('HTTP Node Utils, prepareRequestBody', () => {
+describe('HTTP Node Utils', () => {
+	describe('prepareRequestBody', () => {
 		it('should call default reducer', async () => {
 			const bodyParameters: BodyParameter[] = [
 				{
@ -33,9 +39,9 @@ describe('HTTP Node Utils, prepareRequestBody', () => {
 			expect(result).toBeDefined();
 			expect(result).toEqual({ foo: { bar: { spam: 'baz' } } });
 		});
-});
+	});

-describe('HTTP Node Utils, setAgentOptions', () => {
+	describe('setAgentOptions', () => {
 		it("should not have agentOptions as it's undefined", async () => {
 			const requestOptions: IRequestOptions = {
 				method: 'GET',
@ -72,4 +78,63 @@ describe('HTTP Node Utils, setAgentOptions', () => {
 				},
 			});
 		});
+	});
+
+	describe('sanitizeUiMessage', () => {
+		it('should remove large Buffers', async () => {
+			const requestOptions: IRequestOptions = {
+				method: 'POST',
+				uri: 'https://example.com',
+				body: Buffer.alloc(900000),
+			};
+
+			expect(sanitizeUiMessage(requestOptions, {}).body).toEqual(
+				'Binary data got replaced with this text. Original was a Buffer with a size of 900000 bytes.',
+			);
+		});
+
+		it('should remove keys that contain sensitive data', async () => {
+			const requestOptions: IRequestOptions = {
+				method: 'POST',
+				uri: 'https://example.com',
+				body: { sessionToken: 'secret', other: 'foo' },
+				headers: { authorization: 'secret', other: 'foo' },
+				auth: { user: 'user', password: 'secret' },
+			};
+
+			expect(
+				sanitizeUiMessage(requestOptions, {
+					headers: ['authorization'],
+					body: ['sessionToken'],
+					auth: ['password'],
+				}),
+			).toEqual({
+				body: { sessionToken: REDACTED, other: 'foo' },
+				headers: { other: 'foo', authorization: REDACTED },
+				auth: { user: 'user', password: REDACTED },
+				method: 'POST',
+				uri: 'https://example.com',
+			});
+		});
+
+		it('should remove secrets', async () => {
+			const requestOptions: IRequestOptions = {
+				method: 'POST',
+				uri: 'https://example.com',
+				body: { nested: { secret: 'secretAccessToken' } },
+				headers: { authorization: 'secretAccessToken', other: 'foo' },
+			};
+
+			expect(sanitizeUiMessage(requestOptions, {}, ['secretAccessToken'])).toEqual({
+				body: {
+					nested: {
+						secret: REDACTED,
+					},
+				},
+				headers: { authorization: REDACTED, other: 'foo' },
+				method: 'POST',
+				uri: 'https://example.com',
+			});
+		});
+	});
 });
--- a/packages/workflow/src/Interfaces.ts
+++ b/packages/workflow/src/Interfaces.ts
@ -216,6 +216,8 @@ export abstract class ICredentialsHelper {
 		type: string,
 		data: ICredentialDataDecryptedObject,
 	): Promise<void>;
+
+	abstract getCredentialsProperties(type: string): INodeProperties[];
 }

 export interface IAuthenticateBase {
@ -813,6 +815,7 @@ export type NodeTypeAndVersion = {
 export interface FunctionsBase {
 	logger: Logger;
 	getCredentials(type: string, itemIndex?: number): Promise<ICredentialDataDecryptedObject>;
+	getCredentialsProperties(type: string): INodeProperties[];
 	getExecutionId(): string;
 	getNode(): INode;
 	getWorkflow(): IWorkflowMetadata;