feat: sanitize field names #1898
Conversation
github-actions
bot
added
the
agent-nodejs
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
|
astorm
force-pushed
the
astorm/sanitize_field_names
branch
from
593dddc to
391fd75
Compare
| @@ -339,3 +339,8 @@ finalhandler: | |||
| memcached: | |||
| versions: '>=2.2.0' | |||
| commands: node test/instrumentation/modules/memcached.js | |||
|
|
|||
| body-parser: | |||
There was a problem hiding this comment.
Express has an external body parser middleware module for capturing application/x-www-form-urlencoded form bodies, so we run its tests through TAV.
Restify and HAPI do not use external middleware for capturing application/x-www-form-urlencoded form bodies, so there's no module to run through TAV.
Fastify and koa do use external middleware for capturing application/x-www-form-urlencoded bodies, but the agent doesn't currently capture their request bodies, so we don't test those module (yet!)
| @@ -66,6 +66,9 @@ var DEFAULTS = { | |||
| logUncaughtExceptions: false, // TODO: Change to `true` in the v4.0.0 | |||
There was a problem hiding this comment.
Everything in this file is just configuration handling (including converting the wildcards into regular expressions)
| @@ -20,6 +20,11 @@ function httpHeaders (obj) { | |||
|
|
|||
There was a problem hiding this comment.
We changed the handling of undefined in this module to be consistent across our all redacted header fields. The was prompted by the fact that
- We filter headers before they're redacted
- We filter headers by setting their value to undefined
- This meant an
authorizationheader we had marked for removal via setting it to undefined would set the REDACTED before the agent had a chance to serialize it as JSON
lib/filters/sanitize-field-names.js
Outdated
| * Express provides multiple body parser middlewares with x-www-form-urlencoded | ||
| * handling. See http://expressjs.com/en/resources/middleware/body-parser.html | ||
| */ | ||
| function removeKeysFromPostedFormVariables (body, requestHeaders, regexes) { |
There was a problem hiding this comment.
This function is probably more complicated than it needs to be right now. I originally thought we would need to be able to handle the parsed request body in all its possible formats. The way feature development ending up going the agent had already normalized these values by the time we wanted to handle them. This function could probably be simplified to remove the raw/buffer handling, but I decided to leave this code in place as it may be useful when/if we handle the request body parsing for fastify, hapi, and koa. I was 52%/48% on this -- not a strongly held decision.
package.json
Outdated
| @@ -117,8 +117,10 @@ | |||
| "@babel/cli": "^7.8.4", | |||
There was a problem hiding this comment.
The body parers are here for the test suites. Even though we discovered that out koa and fastify instrumentation does not capture the body correly (i.e doesn't need to be tested), the test harness I came up with becomes awkward if the middleware isn't here. The was a waffling decision -- happy to reconsider it.
astorm
force-pushed
the
astorm/sanitize_field_names
branch
from
9cf58e1 to
3c29255
Compare
astorm
force-pushed
the
astorm/sanitize_field_names
branch
from
2db30df to
3b9f506
Compare
|
PR feedback's addressed, look for the big old DONE stamp unless there's more work to be done here -- putting out for re-review |
|
Adjustments made (removed handling of and related tests) for new handling of raw body parsering |
Update
Subtitles abound here.
The end goal of all this is to get version of this feature that is suitable for a minor version bump while setting us up for 100% spec and agent compliance in our next major version.
Our current spec discussion say that the
SANITIZE_FIELD_NAMESshould fully READACT the value of a header, post field, or cookie field if they're listed in theSANITIZE_FIELD_NAMESarray. These might be captured by agents in the following fields (see also the intake API/Schema)transaction.context.request.cookiestransaction.context.request.headerstransaction.context.request.body(if form/url encoded)transaction.context.response.headersThe node agent currently captures
transaction.context.request.headers,transaction.context.request.body, andtransaction.context.response.headers, but does not capturetransaction.context.request.cookies.Also worth noting -- the Java agent also has a behavior where it blanks out the values of
transaction.context.request.headers.cookieswhen it parses values intotransaction.context.request.cookies.The Node.js agent also has a preexisting
http-filtermodule that works slightly differently from the behavior ofSANITIZE_FIELD_NAMES. Prior to this PR thehttp-filtermodule was hard-coded to redact theauthorizationHTTP header. The filter also looked for bothset-cookieandcookieHTTP headers, and would parse them into name/value pairs in order to redact individual cookie fields. Once redacted, the name/value pairs would be re-serialized as a cookie string and captured in the.headersproperties. Which individual cookie names got redacted was/is controlled by a list of fields inredact-secrets.The
redact-secretsmodule also looks for values to redact. Specifically, it looks for things that match a credit card regular expression.There's a few important subtleties here.
The new
SANITIZE_FIELD_NAMESfeature, when combined with the default configuration values, indicates that we should completely redact theset-cookieheader.The feature, as spec-ed, does not speak to parsing the values in the HTTP headers and redacting them. It only speaks to parsing values collected in
transaction.context.request.cookiesThe Node.js agent does not appear to have used
redact-secretsto control which HTTP headers or post-body fields/values are redacted. Theredact-secretslist only controls which "cookie field names encoded in the headers" were redacted.This PR
In order to avoid a major version bump this PR
Removes the hard coded
authorizationredacting, and instead relies onauthorizationbeing one of the default values ofSANITIZE_FIELD_NAMESMaintains the "cookie in header" parsing via
redact-secrets, but also includes theSANITIZE_FIELD_NAMESwildcard patterns as part ofredact-secretsIf either
cookieorset-cookieis listed in theSANITIZE_FIELD_NAMESconfiguration array, per the spec this value will be completely redacted.The default value of
SANITIZE_FIELD_NAMESwill include the extra configuration values['pw','pass','connect.sid'](which we have currently proposed in the spec asMAYinclude values)The preserves as much of the previous Node.js agent behavior as possible in order to prevent a major version bump. The one "controversial" behavior I see here is with the new feature behavior,
set-cookiewill be completely redacted by default -- whereas in the previous versions of the agent only specific fields would be redacted. I'm choosing to interpret this as a new enhanced behavior vs. a breaking change.Future Next Major Version PR
In order to be fully spec compliant I also propose that we revisit this when 4.0 rolls around. At this time we'll
['pw','pass','connect.sid']from theSANITIZE_FIELD_NAMESdefaultstransaction.context.request.cookiesand blanking outtransaction.context.request.headers.cookiestransaction.context.request.cookiesper specset-cookiehttp headerOriginal Description
This PR implements the Data sanitization spec.
This PR
sanitizeFeatureNamevalueapplication/x-www-form-urlencodedbased onsanitizeFeatureNameFields are "removed" from the payload object by setting their values to
undefinedin the javascript payload object. This will result in them being skipped in their JSON serializationand allows us to avoid any perf. issues with
delete.During testing we discovered that the agent does not capture
application/x-www-form-urlencodedrequest body payloads for fastify, hapi, and koa. This is why those tests skip those fixtures.Tests:
Additional packages (middleware body parsers for web frameworks) were added to our dev dependencies to allow integration testing of the
application/x-www-form-urlencodedhandling.The
test/sanitize-field-names/main.jsfile contains unit-ish tests for the new functions.The rest of the tests are integration-ish tests where we make HTTP POSTs with each of our supported frameworks and different configured values to determine if the right items are removed from the payloads. Test fixtures are shared between all the different framework integration tests. Fixtures contain input values and expected output values, as well as which style middleware should be used for parsing.
To Do
Checklist