From a0136dcc5de49ad8dd5c6ad9355589b6c6731f47 Mon Sep 17 00:00:00 2001 From: Josh Mock Date: Thu, 7 Mar 2024 14:48:01 -0600 Subject: [PATCH] Add additional tests to ensure redaction does not leak --- test/unit/errors.test.ts | 11 ++++++++++- test/unit/transport.test.ts | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+), 1 deletion(-) diff --git a/test/unit/errors.test.ts b/test/unit/errors.test.ts index 4e0f71c..85cf176 100644 --- a/test/unit/errors.test.ts +++ b/test/unit/errors.test.ts @@ -187,4 +187,13 @@ test('redaction does not transform array properties into objects', t => { t.equal(Array.isArray(errResponse.body.error.root_cause), true) t.end() -}) \ No newline at end of file +}) + +test('redaction does leak back to original object', t => { + const diags = makeDiagnostics() + diags.forEach(diag => { + const err = new errors.TimeoutError('timeout', diag) + t.not(err?.meta?.headers?.authorization, diag.headers?.authorization) + }) + t.end() +}) diff --git a/test/unit/transport.test.ts b/test/unit/transport.test.ts index 5d13925..d44b064 100644 --- a/test/unit/transport.test.ts +++ b/test/unit/transport.test.ts @@ -2138,3 +2138,40 @@ test('Error additional key redaction', async t => { } server.stop() }) + +test('redaction does not get leaked to original object', async t => { + t.plan(1) + function handler (_req: http.IncomingMessage, res: http.ServerResponse) { + setTimeout(() => res.end('ok'), 100) + } + const [{ port }, server] = await buildServer(handler) + + const pool = new WeightedConnectionPool({ Connection: UndiciConnection }) + pool.addConnection(`http://localhost:${port}`) + + const transport = new Transport({ + connectionPool: pool, + requestTimeout: 50, + }) + + const original = { + meta: true, + headers: { + authorization: '**-the--secret--code-**' + } + } + + try { + await transport.request({ + path: '/hello', + method: 'GET' + }, original) + } catch (err: any) { + if (err instanceof TimeoutError) { + t.match(original.headers.authorization, '**-the--secret--code-**') + } else { + t.fail(`should not be called, got error: ${err}`) + } + } + server.stop() +})