Permalink
Show file tree
Hide file tree
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Merge pull request from GHSA-8vg2-wf3q-mwv7
* fix(api): redact header cookie This is a quick PoC for a fix. I am not sure if it's the best answer and have not added tests yet. If we feel good about it, I can add tests and open a PR. Please let me know how you'd like to proceed! * cleaner * rework to handle multiple inputs and add unit tests * Added same redacting logic for teh response set-cookie --------- Co-authored-by: Brainslug <tim@brainslug.nl> Co-authored-by: Brainslug <br41nslug@users.noreply.github.com>
- Loading branch information
1 parent
59f965c
commit 3495363
Showing
3 changed files
with
67 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| import { describe, expect, test } from 'vitest'; | ||
| import env from '../env'; | ||
| import { redactHeaderCookie } from './redact-header-cookies'; | ||
|
|
||
| describe('redactHeaderCookie', () => { | ||
| describe('Given auth cookies', () => { | ||
| test('When it finds a refresh_token, it should redact the value', () => { | ||
| const tokenKey = env.REFRESH_TOKEN_COOKIE_NAME; | ||
| const cookieHeader = `${tokenKey}=shh;`; | ||
| const cookieNames = [`${tokenKey}`]; | ||
|
|
||
| const redactedCookie = redactHeaderCookie(cookieHeader, cookieNames); | ||
| expect(redactedCookie).toBe(`${tokenKey}=--redacted--;`); | ||
| }); | ||
| test('When it finds an access_token, it should redact the value', () => { | ||
| const tokenKey = 'access_token'; | ||
| const cookieHeader = `${tokenKey}=secret;`; | ||
| const cookieNames = [`${tokenKey}`]; | ||
|
|
||
| const redactedCookie = redactHeaderCookie(cookieHeader, cookieNames); | ||
| expect(redactedCookie).toBe(`${tokenKey}=--redacted--;`); | ||
| }); | ||
| test('When it finds both an access_token and refresh_token, it should redact both values', () => { | ||
| const cookieHeader = `access_token=secret; ${env.REFRESH_TOKEN_COOKIE_NAME}=shhhhhhh; randomCookie=Erdtree;`; | ||
| const cookieNames = ['access_token', `${env.REFRESH_TOKEN_COOKIE_NAME}`]; | ||
|
|
||
| const redactedCookie = redactHeaderCookie(cookieHeader, cookieNames); | ||
| expect(redactedCookie).toBe( | ||
| `access_token=--redacted--; ${env.REFRESH_TOKEN_COOKIE_NAME}=--redacted--; randomCookie=Erdtree;` | ||
| ); | ||
| }); | ||
| }); | ||
| describe('Given negligible cookies', () => { | ||
| test('It should return the orignal value', () => { | ||
| const originalCookie = `Crown=Swords; Hail=Sithis;`; | ||
| const cookieNames = [env.REFRESH_TOKEN_COOKIE_NAME, 'access_token']; | ||
|
|
||
| const redactedCookie = redactHeaderCookie(originalCookie, cookieNames); | ||
| expect(redactedCookie).toBe(originalCookie); | ||
| }); | ||
| }); | ||
| }); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| export function redactHeaderCookie(cookieHeader: string, cookieNames: string[]) { | ||
| for (const cookieName of cookieNames) { | ||
| const re = new RegExp(`(${cookieName}=)([^;]+)`); | ||
| cookieHeader = cookieHeader.replace(re, `$1--redacted--`); | ||
| } | ||
| return cookieHeader; | ||
| } |