Redact more header keys

n8n-io · Aug 29, 2024 · 5b4f1b5 · 5b4f1b5
1 parent 34bda8b
commit 5b4f1b5
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 31 deletions.
diff --git a/packages/nodes-base/nodes/HttpRequest/GenericFunctions.ts b/packages/nodes-base/nodes/HttpRequest/GenericFunctions.ts
@@ -88,11 +88,22 @@ export function sanitizeUiMessage(
 			),
 		};
 	}
+	const HEADER_BLOCKLIST = new Set([
+		'authorization',
+		'x-api-key',
+		'x-auth-token',
+		'cookie',
+		'proxy-authorization',
+		'sslclientcert',
+	]);
+
 	const headers = sendRequest.headers as IDataObject;
+
 	if (headers) {
-		const headerKey = Object.keys(headers).find((key) => key.toLowerCase() === 'authorization');
-		if (headerKey) {
-			headers[headerKey] = REDACTED;
+		for (const headerName of Object.keys(headers)) {
+			if (HEADER_BLOCKLIST.has(headerName.toLowerCase())) {
+				headers[headerName] = REDACTED;
+			}
 		}
 	}
 	if (secrets && secrets.length > 0) {

diff --git a/packages/nodes-base/nodes/HttpRequest/test/utils/utils.test.ts b/packages/nodes-base/nodes/HttpRequest/test/utils/utils.test.ts
@@ -136,32 +136,47 @@ describe('HTTP Node Utils', () => {
 				uri: 'https://example.com',
 			});
 		});
-		it('should redact the Authorization header', () => {
-			const requestOptions: IRequestOptions = {
-				method: 'POST',
-				uri: 'https://example.com',
-				body: { sessionToken: 'secret', other: 'foo' },
-				headers: { authorization: 'Bearer some-sensitive-token', other: 'foo' },
-				auth: { user: 'user', password: 'secret' },
-			};
-			const authDataKeys = {};
-			const sanitizedRequest = sanitizeUiMessage(requestOptions, authDataKeys);
-
-			expect(sanitizedRequest.headers).toEqual({ authorization: REDACTED, other: 'foo' });
-		});
 
-		it('should redact the Authorization header when the key starts with an uppercase letter', () => {
-			const requestOptions: IRequestOptions = {
-				method: 'POST',
-				uri: 'https://example.com',
-				body: { sessionToken: 'secret', other: 'foo' },
-				headers: { Authorization: 'Basic another-sensitive-token', other: 'foo' },
-				auth: { user: 'user', password: 'secret' },
-			};
-			const authDataKeys = {};
-			const sanitizedRequest = sanitizeUiMessage(requestOptions, authDataKeys);
+		const headersToTest = [
+			'authorization',
+			'x-api-key',
+			'x-auth-token',
+			'cookie',
+			'proxy-authorization',
+			'sslclientcert',
+		];
+
+		headersToTest.forEach((header) => {
+			it(`should redact the ${header} header when the key is lowercase`, () => {
+				const requestOptions: IRequestOptions = {
+					method: 'POST',
+					uri: 'https://example.com',
+					body: { sessionToken: 'secret', other: 'foo' },
+					headers: { [header]: 'some-sensitive-token', other: 'foo' },
+					auth: { user: 'user', password: 'secret' },
+				};
+
+				const sanitizedRequest = sanitizeUiMessage(requestOptions, {});
+
+				expect(sanitizedRequest.headers).toEqual({ [header]: REDACTED, other: 'foo' });
+			});
 
-			expect(sanitizedRequest.headers).toEqual({ Authorization: REDACTED, other: 'foo' });
+			it(`should redact the ${header} header when the key is uppercase`, () => {
+				const requestOptions: IRequestOptions = {
+					method: 'POST',
+					uri: 'https://example.com',
+					body: { sessionToken: 'secret', other: 'foo' },
+					headers: { [header.toUpperCase()]: 'some-sensitive-token', other: 'foo' },
+					auth: { user: 'user', password: 'secret' },
+				};
+
+				const sanitizedRequest = sanitizeUiMessage(requestOptions, {});
+
+				expect(sanitizedRequest.headers).toEqual({
+					[header.toUpperCase()]: REDACTED,
+					other: 'foo',
+				});
+			});
 		});
 
 		it('should leave headers unchanged if Authorization header is not present', () => {
@@ -172,17 +187,15 @@ describe('HTTP Node Utils', () => {
 				headers: { other: 'foo' },
 				auth: { user: 'user', password: 'secret' },
 			};
-			const authDataKeys = {};
-			const sanitizedRequest = sanitizeUiMessage(requestOptions, authDataKeys);
+			const sanitizedRequest = sanitizeUiMessage(requestOptions, {});
 
 			expect(sanitizedRequest.headers).toEqual({ other: 'foo' });
 		});
 
 		it('should handle case when headers are undefined', () => {
 			const requestOptions: IRequestOptions = {};
 
-			const authDataKeys = {};
-			const sanitizedRequest = sanitizeUiMessage(requestOptions, authDataKeys);
+			const sanitizedRequest = sanitizeUiMessage(requestOptions, {});
 
 			expect(sanitizedRequest.headers).toBeUndefined();
 		});