feat(webhooks): do not redact header if it contains a parameter

pact-foundation · Jul 19, 2019 · 5787e0d · 5787e0d
1 parent 81821a3
commit 5787e0d
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 2 deletions.
diff --git a/lib/pact_broker/webhooks/render.rb b/lib/pact_broker/webhooks/render.rb
@@ -7,6 +7,10 @@ class Render
       TEMPLATE_PARAMETER_REGEXP = /\$\{pactbroker\.[^\}]+\}/
       DEFAULT_ESCAPER = lambda { |it| it }
 
+      def self.includes_parameter?(value)
+        value =~ TEMPLATE_PARAMETER_REGEXP
+      end
+
       def self.call(template, params, &escaper)
         render_template(escape_params(params, escaper || DEFAULT_ESCAPER), template)
       end

diff --git a/lib/pact_broker/webhooks/webhook_request_template.rb b/lib/pact_broker/webhooks/webhook_request_template.rb
@@ -53,7 +53,7 @@ def display_password
 
       def redacted_headers
         headers.each_with_object({}) do | (name, value), new_headers |
-          redact = HEADERS_TO_REDACT.any?{ | pattern | name =~ pattern }
+          redact = HEADERS_TO_REDACT.any?{ | pattern | name =~ pattern }  && !PactBroker::Webhooks::Render.includes_parameter?(value)
           new_headers[name] = redact ? "**********" : value
         end
       end

diff --git a/spec/lib/pact_broker/webhooks/webhook_request_template_spec.rb b/spec/lib/pact_broker/webhooks/webhook_request_template_spec.rb
@@ -11,7 +11,7 @@ module Webhooks
           password: "password",
           uuid: "1234",
           body: body,
-          headers: {'headername' => 'headervalue'}
+          headers: headers
         }
       end
 
@@ -27,6 +27,7 @@ module Webhooks
         }
       end
 
+      let(:headers) { {'headername' => 'headervalue'} }
       let(:url) { "http://example.org/hook?foo=bar" }
       let(:base_url) { "http://broker" }
       let(:built_url) { "http://example.org/hook?foo=barBUILT" }
@@ -107,6 +108,54 @@ module Webhooks
           end
         end
       end
+
+      describe "redacted_headers" do
+        subject { WebhookRequestTemplate.new(attributes) }
+
+        let(:headers) do
+          {
+            'Authorization' => 'foo',
+            'X-authorization' => 'bar',
+            'Token' => 'bar',
+            'X-Auth-Token' => 'bar',
+            'X-Authorization-Token' => 'bar',
+            'OK' => 'ok'
+          }
+        end
+
+        let(:expected_headers) do
+          {
+            'Authorization' => '**********',
+            'X-authorization' => '**********',
+            'Token' => '**********',
+            'X-Auth-Token' => '**********',
+            'X-Authorization-Token' => '**********',
+            'OK' => 'ok'
+          }
+        end
+
+        it "redacts sensitive headers" do
+          expect(subject.redacted_headers).to eq expected_headers
+        end
+
+        context "when there is a parameter in the value" do
+          let(:headers) do
+            {
+              'Authorization' => '${pactbroker.secret}'
+            }
+          end
+
+          let(:expected_headers) do
+            {
+              'Authorization' => '${pactbroker.secret}'
+            }
+          end
+
+          it "does not redact it" do
+            expect(subject.redacted_headers).to eq expected_headers
+          end
+        end
+      end
     end
   end
 end