make sure to filter authorization headers

closes #274
elastic · Aug 29, 2018 · 8201c1f · 8201c1f
1 parent e8b134d
commit 8201c1f
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 3 deletions.
diff --git a/elasticapm/processors.py b/elasticapm/processors.py
@@ -17,7 +17,9 @@
 
 MASK = 8 * "*"
 
-SANITIZE_FIELD_NAMES = frozenset(["password", "secret", "passwd", "token", "api_key", "access_token", "sessionid"])
+SANITIZE_FIELD_NAMES = frozenset(
+    ["authorization", "password", "secret", "passwd", "token", "api_key", "access_token", "sessionid"]
+)
 
 SANITIZE_VALUE_PATTERNS = [re.compile(r"^[- \d]{16,19}$")]  # credit card numbers, with or without spacers
 

diff --git a/tests/processors/tests.py b/tests/processors/tests.py
@@ -15,7 +15,13 @@ def http_test_data():
             "request": {
                 "body": "foo=bar&password=123456&the_secret=abc&cc=1234567890098765",
                 "env": {"foo": "bar", "password": "hello", "the_secret": "hello", "a_password_here": "hello"},
-                "headers": {"foo": "bar", "password": "hello", "the_secret": "hello", "a_password_here": "hello"},
+                "headers": {
+                    "foo": "bar",
+                    "password": "hello",
+                    "the_secret": "hello",
+                    "a_password_here": "hello",
+                    "authorization": "bearer xyz",
+                },
                 "cookies": {
                     "foo": "bar",
                     "password": "topsecret",
@@ -30,7 +36,13 @@ def http_test_data():
             },
             "response": {
                 "status_code": "200",
-                "headers": {"foo": "bar", "password": "hello", "the_secret": "hello", "a_password_here": "hello"},
+                "headers": {
+                    "foo": "bar",
+                    "password": "hello",
+                    "the_secret": "hello",
+                    "a_password_here": "hello",
+                    "authorization": "bearer xyz",
+                },
             },
         }
     }
@@ -111,6 +123,7 @@ def test_sanitize_http_headers(http_test_data):
         "password": processors.MASK,
         "the_secret": processors.MASK,
         "a_password_here": processors.MASK,
+        "authorization": processors.MASK,
     }
     assert result["context"]["request"]["headers"] == expected
     assert result["context"]["response"]["headers"] == expected