Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(HTTP Request Node): Sanitize authorization headers #10607

Merged
merged 4 commits into from
Aug 29, 2024
Merged

fix(HTTP Request Node): Sanitize authorization headers #10607

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f4665c8
Redact authorization headers
ShireenMissi Aug 29, 2024
dbbfdaf
Add one more tests
ShireenMissi Aug 29, 2024
34bda8b
Remove comment
ShireenMissi Aug 29, 2024
5b4f1b5
Redact more header keys
ShireenMissi Aug 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions packages/nodes-base/nodes/HttpRequest/GenericFunctions.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,24 @@ export function sanitizeUiMessage(
),
};
}
const HEADER_BLOCKLIST = new Set([
'authorization',
'x-api-key',
'x-auth-token',
'cookie',
'proxy-authorization',
'sslclientcert',
]);

const headers = sendRequest.headers as IDataObject;

if (headers) {
for (const headerName of Object.keys(headers)) {
if (HEADER_BLOCKLIST.has(headerName.toLowerCase())) {
headers[headerName] = REDACTED;
}
}
}
if (secrets && secrets.length > 0) {
return redact(sendRequest, secrets);
}
Expand Down
63 changes: 63 additions & 0 deletions packages/nodes-base/nodes/HttpRequest/test/utils/utils.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,5 +136,68 @@ describe('HTTP Node Utils', () => {
uri: 'https://example.com',
});
});

const headersToTest = [
'authorization',
'x-api-key',
'x-auth-token',
'cookie',
'proxy-authorization',
'sslclientcert',
];

headersToTest.forEach((header) => {
it(`should redact the ${header} header when the key is lowercase`, () => {
const requestOptions: IRequestOptions = {
method: 'POST',
uri: 'https://example.com',
body: { sessionToken: 'secret', other: 'foo' },
headers: { [header]: 'some-sensitive-token', other: 'foo' },
auth: { user: 'user', password: 'secret' },
};

const sanitizedRequest = sanitizeUiMessage(requestOptions, {});

expect(sanitizedRequest.headers).toEqual({ [header]: REDACTED, other: 'foo' });
});

it(`should redact the ${header} header when the key is uppercase`, () => {
const requestOptions: IRequestOptions = {
method: 'POST',
uri: 'https://example.com',
body: { sessionToken: 'secret', other: 'foo' },
headers: { [header.toUpperCase()]: 'some-sensitive-token', other: 'foo' },
auth: { user: 'user', password: 'secret' },
};

const sanitizedRequest = sanitizeUiMessage(requestOptions, {});

expect(sanitizedRequest.headers).toEqual({
[header.toUpperCase()]: REDACTED,
other: 'foo',
});
});
});

it('should leave headers unchanged if Authorization header is not present', () => {
const requestOptions: IRequestOptions = {
method: 'POST',
uri: 'https://example.com',
body: { sessionToken: 'secret', other: 'foo' },
headers: { other: 'foo' },
auth: { user: 'user', password: 'secret' },
};
const sanitizedRequest = sanitizeUiMessage(requestOptions, {});

expect(sanitizedRequest.headers).toEqual({ other: 'foo' });
});

it('should handle case when headers are undefined', () => {
const requestOptions: IRequestOptions = {};

const sanitizedRequest = sanitizeUiMessage(requestOptions, {});

expect(sanitizedRequest.headers).toBeUndefined();
});
});
});
Loading