Skip to content

Commit

Permalink
fix: treat set-cookie in response headers as sensitive data (elastic#…
Browse files Browse the repository at this point in the history 
…1886)

Co-authored-by: Alan Storm <[email protected]>
  • Loading branch information
@StoraH @astorm
StoraH and astorm authored Nov 24, 2020
1 parent 25fa027 commit 3838ea6
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 6 deletions.
12 changes: 8 additions & 4 deletions lib/filters/http-headers.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,16 @@ const SetCookie = require('set-cookie-serde')
module.exports = httpHeaders

function httpHeaders (obj) {
const headers = obj.context && obj.context.request && obj.context.request.headers
const requestHeaders = obj.context && obj.context.request && obj.context.request.headers
const responseHeaders = obj.context && obj.context.response && obj.context.response.headers

if (!headers) return obj
if (requestHeaders) filterSensitiveHeaders(requestHeaders)
if (responseHeaders) filterSensitiveHeaders(responseHeaders)

return obj
}

function filterSensitiveHeaders (headers) {
for (const key in headers) {
switch (key.toLowerCase()) {
case 'authorization':
Expand Down Expand Up @@ -41,8 +47,6 @@ function httpHeaders (obj) {
break
}
}

return obj
}

function stringify (value) {
Expand Down
20 changes: 18 additions & 2 deletions test/filters.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,17 +10,26 @@ function makeTransactionWithHeaders (headers) {
context: {
request: {
headers
},
response: {
headers
}
}
}
}

function getHeaders (result) {
function getRequestHeaders (result) {
try {
return result.context.request.headers
} catch (err) {}
}

function getResponseHeaders (result) {
try {
return result.context.response.headers
} catch (err) {}
}

test('set-cookie', function (t) {
const filters = new Filters()

Expand All @@ -35,7 +44,14 @@ test('set-cookie', function (t) {
})
)

t.deepEqual(getHeaders(result), {
t.deepEqual(getRequestHeaders(result), {
'set-cookie': [
'password=%5BREDACTED%5D',
'card=%5BREDACTED%5D; Secure'
]
})

t.deepEqual(getResponseHeaders(result), {
'set-cookie': [
'password=%5BREDACTED%5D',
'card=%5BREDACTED%5D; Secure'
Expand Down

0 comments on commit 3838ea6

Please sign in to comment.