Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sanitize Headers on Errors #507

Merged
merged 2 commits into from
Jul 21, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions src/Auth0RestClient.js
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ var Promise = require('bluebird');
var ArgumentError = require('rest-facade').ArgumentError;

var utils = require('./utils');
var SanitizedError = require('./errors').SanitizedError;

var Auth0RestClient = function(resourceUrl, options, provider) {
if (resourceUrl === null || resourceUrl === undefined) {
Expand All @@ -17,6 +18,9 @@ var Auth0RestClient = function(resourceUrl, options, provider) {
throw new ArgumentError('Must provide options');
}

options.errorCustomizer = options.errorCustomizer || SanitizedError;
options.errorFormatter = options.errorFormatter || { message: 'message', name: 'error' };

this.options = options;
this.provider = provider;
this.restClient = new RestClient(resourceUrl, options);
Expand Down
25 changes: 19 additions & 6 deletions src/errors.js
Original file line number Diff line number Diff line change
Expand Up @@ -12,19 +12,32 @@ var errors = (module.exports = {});
* @memberOf module:errors
*/
errors.sanitizeErrorRequestData = function(error) {
if (!error.response || !error.response.request || !error.response.request._data) {
if (
!error.response ||
!error.response.request ||
(!error.response.request._data && !error.response.request._header)
) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not a huge fan of this formatting, but the pre-commit hook did this, so 🤷

return error;
}

Object.keys(error.response.request._data).forEach(function(key) {
if (key.toLowerCase().match('password|secret')) {
error.response.request._data[key] = '[SANITIZED]';
}
});
sanitizeErrors(error.response.request._header);
sanitizeErrors(error.response.request._data);

return error;
};

var sanitizeErrors = function(collection) {
if (!collection) {
return;
}

Object.keys(collection).forEach(function(key) {
if (key.toLowerCase().match('password|secret|authorization')) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not a big fan of such block list approach. This would miss keys such as token, bearer, auth, key and so on.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@davidpatrick any thoughts?

collection[key] = '[SANITIZED]';
}
});
};

/**
* Given an Api Error, modify the original error and sanitize
* sensitive information using sanitizeErrorRequestData
Expand Down
18 changes: 18 additions & 0 deletions test/auth0-rest-client.tests.js
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,24 @@ describe('Auth0RestClient', function() {
});
});

it('should sanitize error when access token is in authorization header', function(done) {
nock(API_URL)
.get('/some-resource')
.reply(401);

var options = {
headers: {}
};

var client = new Auth0RestClient(API_URL + '/some-resource', options, this.providerMock);
client.getAll().catch(function(err) {
const originalRequestHeader = err.originalError.response.request._header;
expect(originalRequestHeader.authorization).to.equal('[SANITIZED]');
done();
nock.cleanAll();
});
});

it('should catch error when provider.getAccessToken throws an error', function(done) {
var providerMock = {
getAccessToken: function() {
Expand Down
20 changes: 19 additions & 1 deletion test/errors.tests.js
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ var errors = require('../src/errors');

describe('Errors', function() {
describe('sanitizeErrorRequestData', function() {
describe('when passed in error is missing request data', function() {
describe('when passed in error is missing request data and headers', function() {
var error = { response: { request: {} } };
var sanitizedError = errors.sanitizeErrorRequestData(error);

Expand Down Expand Up @@ -38,6 +38,24 @@ describe('Errors', function() {
expect(sanitizedData.USER_NAME).to.equal(sanitizedData.USER_NAME);
});
});

describe('when passed in error has header data', function() {
const error = {
response: {
request: {
_header: {
authorization: 'Bearer xyz'
}
}
}
};
const sanitizedError = errors.sanitizeErrorRequestData(error);
const sanitizedData = sanitizedError.response.request._header;

it('should return [SANITIZED] for authorization', function() {
expect(sanitizedData.authorization).to.equal('[SANITIZED]');
});
});
});

describe('SanitizedError', function() {
Expand Down