Skip to content

Commit 8b34431

Browse files
authored
Merge pull request from GHSA-3f65-m234-9mxr
Exclude access_token from error message
2 parents 1591be2 + 04fca0a commit 8b34431

File tree

2 files changed

+43
-1
lines changed

2 files changed

+43
-1
lines changed

Diff for: session.go

+16-1
Original file line numberDiff line numberDiff line change
@@ -562,7 +562,22 @@ func (session *Session) sendRequest(request *http.Request) (response *http.Respo
562562
}
563563

564564
if err != nil {
565-
err = fmt.Errorf("facebook: cannot reach facebook server; %w", err)
565+
originalErr := err
566+
err = fmt.Errorf("facebook: cannot reach facebook server; %w", originalErr)
567+
netUrlErr, ok := originalErr.(*url.Error)
568+
// *url.Error can contain access_token in the URL, so we need to exclude it.
569+
if !ok || netUrlErr.URL == "" {
570+
return
571+
}
572+
q := request.URL.Query()
573+
if !q.Has("access_token") {
574+
return
575+
}
576+
q.Del("access_token")
577+
url := *request.URL
578+
url.RawQuery = q.Encode()
579+
netUrlErr.URL = url.String()
580+
err = fmt.Errorf("facebook: cannot reach facebook server; %w", netUrlErr)
566581
return
567582
}
568583

Diff for: session_test.go

+27
Original file line numberDiff line numberDiff line change
@@ -11,8 +11,10 @@ import (
1111
"bytes"
1212
"context"
1313
"encoding/base64"
14+
"errors"
1415
"net/http"
1516
"net/http/httptest"
17+
"strings"
1618
"testing"
1719
)
1820

@@ -400,3 +402,28 @@ func TestSessionGetWithQueryString(t *testing.T) {
400402

401403
t.Logf("my extended info is: %v", result)
402404
}
405+
406+
func TestSessionGetFailingWithoutExposingAccessToken(t *testing.T) {
407+
var accessToken = "CAACZA38ZAD8CoBAe2bDC6EdThnni3b56scyshKINjZARoC9ZAuEUTgYUkYnKdimqfA2ZAXcd2wLd7Rr8jLmMXTY9vqAhQGqObZBIUz1WwbqVoCsB3AAvLtwoWNhsxM76mK0eiJSLXHZCdPVpyhmtojvzXA7f69Bm6b5WZBBXia8iOpPZAUHTGp1UQLFMt47c7RqJTrYIl3VfAR0deN82GMFL2"
408+
session := &Session{}
409+
session.SetAccessToken(accessToken)
410+
session.HttpClient = &http.Client{
411+
Transport: alwaysFailRoundTripper{},
412+
}
413+
414+
_, err := session.Get("/me", nil)
415+
if err == nil {
416+
t.Fatalf("request should fail")
417+
}
418+
if strings.Contains(err.Error(), accessToken) {
419+
t.Errorf("error message should not contain access token")
420+
}
421+
}
422+
423+
type alwaysFailRoundTripper struct{}
424+
425+
var _ http.RoundTripper = alwaysFailRoundTripper{}
426+
427+
func (a alwaysFailRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
428+
return nil, errors.New("request failed since alwaysFailRoundTripper is used")
429+
}

0 commit comments

Comments
 (0)