github/directus
1
1
Fork 0
mirror of https://github.com/directus/directus.git synced 2026-04-03 03:00:39 -04:00
Code Issues Packages Projects Releases Wiki Activity

Fix cookie redaction in logs (#17914)

Browse Source 
* removed incorrect redaction logic

* updated paths that werent working

* Added new redaction function

* Reverting unintentional change

* don't force lowercase provider names

* extracted cookieNames

* set cookie based on driver settings suggested by ian

* add unit test

* redact the entire cookie header

* updated the tests

* move redact text to constants

---------

Co-authored-by: Azri Kahar <42867097+azrikahar@users.noreply.github.com>
Co-authored-by: Rijk van Zanten <rijkvanzanten@me.com>
This commit is contained in:
Brainslug
2023-03-24 15:04:22 +01:00
committed by GitHub
parent 27706f7067
commit 73bbfaf058
5 changed files with 165 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
api/src/utils/redact-header-cookies.test.ts
View File

@@ -1,42 +0,0 @@
import { describe, expect, test } from 'vitest';
import env from '../env';
import { redactHeaderCookie } from './redact-header-cookies';
describe('redactHeaderCookie', () => {
describe('Given auth cookies', () => {
test('When it finds a refresh_token, it should redact the value', () => {
const tokenKey = env['REFRESH_TOKEN_COOKIE_NAME'];
const cookieHeader = `${tokenKey}=shh;`;
const cookieNames = [`${tokenKey}`];
const redactedCookie = redactHeaderCookie(cookieHeader, cookieNames);
expect(redactedCookie).toBe(`${tokenKey}=--redacted--;`);
});
test('When it finds an access_token, it should redact the value', () => {
const tokenKey = 'access_token';
const cookieHeader = `${tokenKey}=secret;`;
const cookieNames = [`${tokenKey}`];
const redactedCookie = redactHeaderCookie(cookieHeader, cookieNames);
expect(redactedCookie).toBe(`${tokenKey}=--redacted--;`);
});
test('When it finds both an access_token and refresh_token, it should redact both values', () => {
const cookieHeader = `access_token=secret; ${env['REFRESH_TOKEN_COOKIE_NAME']}=shhhhhhh; randomCookie=Erdtree;`;
const cookieNames = ['access_token', `${env['REFRESH_TOKEN_COOKIE_NAME']}`];
const redactedCookie = redactHeaderCookie(cookieHeader, cookieNames);
expect(redactedCookie).toBe(
`access_token=--redacted--; ${env['REFRESH_TOKEN_COOKIE_NAME']}=--redacted--; randomCookie=Erdtree;`
);
});
});
describe('Given negligible cookies', () => {
test('It should return the orignal value', () => {
const originalCookie = `Crown=Swords; Hail=Sithis;`;
const cookieNames = [env['REFRESH_TOKEN_COOKIE_NAME'], 'access_token'];
const redactedCookie = redactHeaderCookie(originalCookie, cookieNames);
expect(redactedCookie).toBe(originalCookie);
});
});
});

7
api/src/utils/redact-header-cookies.ts
View File

@@ -1,7 +0,0 @@
export function redactHeaderCookie(cookieHeader: string, cookieNames: string[]) {
for (const cookieName of cookieNames) {
const re = new RegExp(`(${cookieName}=)([^;]+)`);
cookieHeader = cookieHeader.replace(re, `$1--redacted--`);
}
return cookieHeader;
}