Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhanced JSON Reports #45

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Enhanced JSON Reports #45

wants to merge 3 commits into from

Conversation

shardy-lbar
Copy link
Contributor

Based on PR #44 , to solve issue #38 . This adds a new parameter to the zapArchive step (enhancedReport) which generates a more detailed JSON (and html) report.

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests - that demonstrates feature works or fixes the issue

@shardy-lbar
Copy link
Contributor Author

There is currently 2 issues with this implementation (at least for me):

  1. The size of the report that is generated. Some of the APIs on my own projects can have larger response bodies, and these massively pad out the report. For example, a json report that was 1.7kB when not enhanced, became 532kB when enhanced. I had another report that I simply could not open in the browser, as it was simply too large.
  2. Security. As the "request headers" are reported, this appeared to include authorization headers and cookies. For my setups, this isn't too bad as by the time the report is published, the docker instance it was testing has been shutdown and removed. However if other users are testing against a live or long-lived system, this might be a security issue to have it available in the logs.

@shardy-lbar
Copy link
Contributor Author

Solutions for issue 1. could be:

  • To drop the response body section.
  • To set a character limit on the response body.
    This behaviour could be configurable if needed.

Potential solution to issue 2:

  • Regex replace the Authorization header with XXX for its value.
  • ^ as above, for common auth related headers.
  • Potentially provide a configuration option to say which headers to mask.

@shardy-lbar shardy-lbar mentioned this pull request May 11, 2022
Closed
6 tasks
@bhecquet
Copy link
Contributor

Hello

I agree with all of your points
On our setup, tests are done on QA environments so there are no sensible data, but you are right to point the security issue.
The reason I added this is because pour developer did not have enough information to analyze the alert
So we should probably added several options to let the user choose the amount of data it needs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@shardy-lbar @bhecquet