Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sanitize Headers on Errors #507

Merged
merged 2 commits into from Jul 21, 2020
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
Next
sanitize auth headers on errors
  • Loading branch information
jimmyjames committed Jul 20, 2020
commit 62ca61b3348ec8e74d7d00358661af1a8bc98a3c
4 changes: 4 additions & 0 deletions src/Auth0RestClient.js
Expand Up @@ -3,6 +3,7 @@ var Promise = require('bluebird');
var ArgumentError = require('rest-facade').ArgumentError;

var utils = require('./utils');
var SanitizedError = require('./errors').SanitizedError;

var Auth0RestClient = function(resourceUrl, options, provider) {
if (resourceUrl === null || resourceUrl === undefined) {
Expand All @@ -17,6 +18,9 @@ var Auth0RestClient = function(resourceUrl, options, provider) {
throw new ArgumentError('Must provide options');
}

options.errorCustomizer = options.errorCustomizer || SanitizedError;
options.errorFormatter = options.errorFormatter || { message: 'message', name: 'error' };

this.options = options;
this.provider = provider;
this.restClient = new RestClient(resourceUrl, options);
Expand Down
25 changes: 19 additions & 6 deletions src/errors.js
Expand Up @@ -12,19 +12,32 @@ var errors = (module.exports = {});
* @memberOf module:errors
*/
errors.sanitizeErrorRequestData = function(error) {
if (!error.response || !error.response.request || !error.response.request._data) {
if (
!error.response ||
!error.response.request ||
(!error.response.request._data && !error.response.request._header)
) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not a huge fan of this formatting, but the pre-commit hook did this, so 🤷

return error;
}

Object.keys(error.response.request._data).forEach(function(key) {
if (key.toLowerCase().match('password|secret')) {
error.response.request._data[key] = '[SANITIZED]';
}
});
sanitizeErrors(error.response.request._header);
sanitizeErrors(error.response.request._data);

return error;
};

var sanitizeErrors = function(collection) {
if (!collection) {
return;
}

Object.keys(collection).forEach(function(key) {
if (key.toLowerCase().match('password|secret|authorization')) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not a big fan of such block list approach. This would miss keys such as token, bearer, auth, key and so on.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@davidpatrick any thoughts?

collection[key] = '[SANITIZED]';
}
});
};

/**
* Given an Api Error, modify the original error and sanitize
* sensitive information using sanitizeErrorRequestData
Expand Down
18 changes: 18 additions & 0 deletions test/auth0-rest-client.tests.js
Expand Up @@ -151,6 +151,24 @@ describe('Auth0RestClient', function() {
});
});

it('should sanitize error when access token is in authorization header', function(done) {
nock(API_URL)
.get('/some-resource')
.reply(401);

var options = {
headers: {}
};

var client = new Auth0RestClient(API_URL + '/some-resource', options, this.providerMock);
client.getAll().catch(function(err) {
const originalRequestHeader = err.originalError.response.request._header;
expect(originalRequestHeader.authorization).to.equal('[SANITIZED]');
done();
nock.cleanAll();
});
});

it('should catch error when provider.getAccessToken throws an error', function(done) {
var providerMock = {
getAccessToken: function() {
Expand Down
20 changes: 19 additions & 1 deletion test/errors.tests.js
Expand Up @@ -4,7 +4,7 @@ var errors = require('../src/errors');

describe('Errors', function() {
describe('sanitizeErrorRequestData', function() {
describe('when passed in error is missing request data', function() {
describe('when passed in error is missing request data and headers', function() {
var error = { response: { request: {} } };
var sanitizedError = errors.sanitizeErrorRequestData(error);

Expand Down Expand Up @@ -38,6 +38,24 @@ describe('Errors', function() {
expect(sanitizedData.USER_NAME).to.equal(sanitizedData.USER_NAME);
});
});

describe('when passed in error has header data', function() {
const error = {
response: {
request: {
_header: {
authorization: 'Bearer xyz'
}
}
}
};
const sanitizedError = errors.sanitizeErrorRequestData(error);
const sanitizedData = sanitizedError.response.request._header;

it('should return [SANITIZED] for authorization', function() {
expect(sanitizedData.authorization).to.equal('[SANITIZED]');
});
});
});

describe('SanitizedError', function() {
Expand Down