Capture entire key name during cleansing in _mask_credentials

Additionally, enhance tests to verify that the keys are not mangled
jazzband · Apr 7, 2020 · 6ba58b1 · 6ba58b1
1 parent 186cfb3
commit 6ba58b1
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 12 deletions.
diff --git a/project/tests/test_sensitive_data_in_request.py b/project/tests/test_sensitive_data_in_request.py
@@ -9,38 +9,65 @@
 
 DJANGO_META_CONTENT_TYPE = 'CONTENT_TYPE'
 HTTP_CONTENT_TYPE = 'Content-Type'
+CLEANSED = RequestModelFactory.CLEANSED_SUBSTITUTE
 
 
 class MaskCredentialsInFormsTest(TestCase):
     def _mask(self, value):
         return RequestModelFactory(None)._mask_credentials(value)
 
     def test_mask_credentials_preserves_single_insensitive_values(self):
-        self.assertIn("public", self._mask("foo=public"))
-
-    def test_mask_credentials_preserves_insensitive_values_between_sensitive_values(self):
-        self.assertIn("public", self._mask("password=1&foo=public&secret=2"))
+        body = "foo=public"
+        expected = "foo=public"
+        self.assertEqual(expected, self._mask(body))
 
     def test_mask_credentials_masks_sensitive_values(self):
-        self.assertNotIn("secret", self._mask("password=secret"))
+        body = "password=secret"
+        expected = "password={}".format(CLEANSED)
+        self.assertEqual(expected, self._mask(body))
+
+    def test_mask_credentials_masks_multiple_sensitive_values(self):
+        body = "password=mypassword&secret=mysecret"
+        expected = "password={}&secret={}".format(CLEANSED, CLEANSED)
+        self.assertEqual(expected, self._mask(body))
 
     def test_mask_credentials_masks_sensitive_values_between_insensitive_values(self):
-        self.assertNotIn("secret", self._mask("public1=foo&password=secret&public2=bar"))
+        body = "public1=foo&password=secret&public2=bar"
+        expected = "public1=foo&password={}&public2=bar".format(CLEANSED)
+        self.assertEqual(expected, self._mask(body))
+
+    def test_mask_credentials_preserves_insensitive_values_between_sensitive_values(self):
+        body = "password=1&foo=public&secret=2"
+        expected = "password={}&foo=public&secret={}".format(CLEANSED, CLEANSED)
+        self.assertEqual(expected, self._mask(body))
 
     def test_mask_credentials_is_case_insensitive(self):
-        self.assertNotIn("secret", self._mask("UsErNaMe=secret"))
+        body = "UsErNaMe=secret"
+        expected = "UsErNaMe={}".format(CLEANSED)
+        self.assertEqual(expected, self._mask(body))
 
     def test_mask_credentials_handles_prefixes(self):
-        self.assertNotIn("secret", self._mask("prefixed-username=secret"))
+        body = "prefixed-username=secret"
+        expected = "prefixed-username={}".format(CLEANSED)
+        self.assertEqual(expected, self._mask(body))
 
     def test_mask_credentials_handles_suffixes(self):
-        self.assertNotIn("secret", self._mask("username-with-suffix=secret"))
+        body = "username-with-suffix=secret"
+        expected = "username-with-suffix={}".format(CLEANSED)
+        self.assertEqual(expected, self._mask(body))
+
+    def test_mask_credentials_handles_regex_characters(self):
+        body = "password=secret++"
+        expected = "password={}".format(CLEANSED)
+        self.assertEqual(expected, self._mask(body))
 
     def test_mask_credentials_handles_regex_characters(self):
         self.assertNotIn("secret", self._mask("password=secret++"))
 
     def test_mask_credentials_handles_complex_cases(self):
-        self.assertNotIn("secret", self._mask("foo=public&prefixed-uSeRname-with-suffix=secret&bar=public"))
+        body = "foo=public&prefixed-uSeRname-with-suffix=secret&bar=public"
+        expected = "foo=public&prefixed-uSeRname-with-suffix={}&bar=public".format(CLEANSED)
+        self.assertEqual(expected, self._mask(body))
 
 
 class MaskCredentialsInJsonTest(TestCase):

diff --git a/silk/model_factory.py b/silk/model_factory.py
@@ -121,9 +121,9 @@ def replace_pattern_values(obj):
         try:
             json_body = json.loads(body)
         except Exception as e:
-            pattern = re.compile(r'({})[^=]*=(.*?)(&|$)'.format(key_string), re.M | re.I)
+            pattern = re.compile(r'(({})[^=]*)=(.*?)(&|$)'.format(key_string), re.M | re.I)
             try:
-                body = re.sub(pattern, '\\1={}\\3'.format(RequestModelFactory.CLEANSED_SUBSTITUTE), body)
+                body = re.sub(pattern, '\\1={}\\4'.format(RequestModelFactory.CLEANSED_SUBSTITUTE), body)
             except Exception:
                 Logger.debug('{}'.format(str(e)))
         else: