Merge pull request #85 from zapier/strip-querystring-from-error-message

fix(core): hide sensitive data from error messages
zapier · Oct 21, 2019 · d90c29d · d90c29d
2 parents 32d9756 + c737413
commit d90c29d
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 7 deletions.
diff --git a/packages/core/src/http-middlewares/after/throw-for-stale-auth.js b/packages/core/src/http-middlewares/after/throw-for-stale-auth.js
@@ -1,12 +1,13 @@
 'use strict';
 
+const { stripQueryFromURL } = require('../../tools/http');
+
 const errors = require('../../errors');
 
 const throwForStaleAuth = resp => {
   if (resp.status === 401) {
-    const message = `Got ${resp.status} calling ${resp.request.method} ${
-      resp.request.url
-    }, triggering auth refresh.`;
+    const cleanURL = stripQueryFromURL(resp.request.url);
+    const message = `Got ${resp.status} calling ${resp.request.method} ${cleanURL}, triggering auth refresh.`;
     throw new errors.RefreshAuthError(message);
   }
 

diff --git a/packages/core/src/http-middlewares/after/throw-for-status.js b/packages/core/src/http-middlewares/after/throw-for-status.js
@@ -1,10 +1,11 @@
 'use strict';
 
+const { stripQueryFromURL } = require('../../tools/http');
+
 const throwForStatus = resp => {
   if (resp.status > 300) {
-    const message = `Got ${resp.status} calling ${resp.request.method} ${
-      resp.request.url
-    }, expected 2xx.`;
+    const cleanURL = stripQueryFromURL(resp.request.url);
+    const message = `Got ${resp.status} calling ${resp.request.method} ${cleanURL}, expected 2xx.`;
     throw new Error(message);
   }
 

diff --git a/packages/core/src/tools/http.js b/packages/core/src/tools/http.js
@@ -1,3 +1,5 @@
+const { URL } = require('url');
+
 const _ = require('lodash');
 const fetch = require('node-fetch');
 
@@ -28,7 +30,7 @@ const parseHttpList = s => {
   let part = '';
 
   let escape = false;
-    let quote = false;
+  let quote = false;
 
   for (let i = 0; i < s.length; i++) {
     const cur = s.charAt(i);
@@ -97,11 +99,18 @@ const parseDictHeader = s => {
 const unheader = h =>
   h instanceof fetch.Headers && _.isFunction(h.toJSON) ? h.toJSON() : h;
 
+const stripQueryFromURL = url => {
+  // Strip off querystring for any sensitive data
+  const u = new URL(url);
+  return u.origin + u.pathname;
+};
+
 module.exports = {
   FORM_TYPE,
   JSON_TYPE,
   JSON_TYPE_UTF8,
   getContentType,
   parseDictHeader,
+  stripQueryFromURL,
   unheader
 };