Serenity Rest - Blacklisted Request headers not masked in the console logs and report #2660

m-aster22 · 2022-01-06T21:25:58Z

I'm trying to mask the API key passed in the Request header for security purposes.

When I use rest-assured's method, the request header is blacklisted in the console logs but the REST query isn't published in the Serenity report.

    given()
        .config(
            RestAssuredConfig.config()
                .logConfig(LogConfig.logConfig().blacklistHeader("x-api-key")))
        .baseUri("https://my-api-base-uri.com")
        .header("x-api-key", "my-api-key-value")
        .log()
        .all();

Console log output:

    Request method:	GET
    Request URI:	https://my-api-base-uri.com
    Proxy:		<none>
    Request params:	<none>
    Query params:	<none>
    Form params:	<none>
    Path params:	customer_no=001
    Headers:		x-api-key=[ BLACKLISTED ]
    			Accept=*/*
    Cookies:		<none>
    Multiparts:		<none>
    Body:		<none>
    HTTP/1.1 200 OK

When I use SerenityRest, the blacklisted header value is still published in both the console logs and the report.

    SerenityRest.given()
        .config(
            RestAssuredConfig.config()
                .logConfig(LogConfig.logConfig().blacklistHeader("x-api-key")))
        .baseUri("https://my-api-base-uri.com")
        .header("api-key", "my-api-key-value")
        .log()
        .all();

Console log output:

    Request method:	GET
    Request URI:	https://my-api-base-uri.com
    Proxy:		<none>
    Request params:	<none>
    Query params:	<none>
    Form params:	<none>
    Path params:	customer_no=001
    Headers:		x-api-key=my-api-key-value
    			Accept=*/*
    Cookies:		<none>
    Multiparts:		<none>
    Body:		<none>
    HTTP/1.1 200 OK

serenityCoreVersion: 2.3.12
serenityRestAssuredVersion: 2.3.12
rest-assured version: 4.3.2

The text was updated successfully, but these errors were encountered:

wakaleo · 2022-01-06T21:34:52Z

I'm not familiar with the blacklistHeader() method, but from a quick look at the Serenity code, you would need to refactor the registerCall() method in the net.serenitybdd.rest.utils.RestReportingHelper class, and do some pre-processing on the headers before creating the RestQuery object. If you do a pull request I am happy to review.

@deprecated

* PageElements can now be used in Action Classes * PageElements can now be used in Action Classes * Removed old datatable files to fix #2667. * Improved support for aria-labels in the PageElement components. * Fixed a broken unit test. * Minor refactoring. * Minor test refactoring * Unit test fixes * Added better reporing on the number of test cases vs the number of scenarios * Fixed #2660 * Minor refactoring * Updated to appium 8.0.0-beta2 * fixed syntax error in pom file * minor refactoring * [ci skip] prepare release 3.1.16 * [ci skip] prepare for next development iteration * [maven-release-plugin] rollback the release of 3.1.16 * [ci skip] prepare release 3.1.16 * [maven-release-plugin] rollback the release of 3.1.16 * [ci skip] prepare release 3.1.16 * [ci skip] prepare for next development iteration * Added possessive pronouns to Screenplay defaults * Fixed an error in reporting test duration statistics with data-driven tests * Minor refactoring * Minor performance improvements * Extend Playwright integration (#2681) * Refactor Playwright screenshot. * Implement screenshots for SERENITY_TAKE_SCREENSHOTS: FOR_FAILURES and FOR_EACH_ACTION. * Update return classes for Open action. * Add Playwright actions to open page from class. Divide Playwright questions and add methods to get text of multiple matching elements. * Use LOGGER.debug instead of System.out.println and fix NPE in BrowseTheWebWithPlaywright. * Use ScreenshotPermission instead of hardcoded screenshot levels for Playwright. * Upgrade Playwright. Implement SelectFromOptions interaction. * Implement Select interactions by index and visible text for Playwright. * Implement Ensure.currentValue to check current vales of input, textarea and select. * Update Javadoc * Implement Attribute question. * Implement SelectOptions and Visibility questions. Co-authored-by: Serghei Pogodin <serghei.pogodin@rabobank.nl> * Fixed a bug where requirements where not reported when defined in WebTestScenario tests * Removed an unnecessary test * [ci skip] prepare release 3.1.17 * [ci skip] prepare for next development iteration * [ci skip] prepare release 3.1.18 * [ci skip] prepare for next development iteration * Updated to Selenium 4.1.2 * [ci skip] prepare release 3.1.20 * [ci skip] prepare for next development iteration * Removed the @deprecated annotation from some of the WebElementFacade methods. * Updated the Page Elements classes * Fixed library security issues due to colors.js and xstream 1.4.18 * Bump xstream from 1.4.18 to 1.4.19 (#2683) Bumps [xstream](https://github.com/x-stream/xstream) from 1.4.18 to 1.4.19. - [Release notes](https://github.com/x-stream/xstream/releases) - [Commits](https://github.com/x-stream/xstream/commits) --- updated-dependencies: - dependency-name: com.thoughtworks.xstream:xstream dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Create SECURITY.md * 🚑 FIX an error when executing actions on After methods (#2693) * serenity-junit5: replace org.junit.AssumptionViolatedException with org.opentest4j.TestAbortedException (#2687) * Update README.md * Fixed #2695 * Minor refactoring. * Fixed an issue with capitalisation of test titles containing apostrophes. * Refactoring. * Performance enhancements * Updated some javadocs regarding proxy settings * Updated proxy documentation in Javadoc * Refactored to make unit tests less OS-specific * Refactored to make unit tests less OS-specific * Switch some tests to Firefox for variety * Use a standardised path for requirements to make the tests less OS-dependent * Fixed a potential Windows-specific issue when reading requirements * fix: BrowserStack session properties not parsed correctly if null (#2701) Co-authored-by: Keith <xxthePantzxx@gmail.com> * Fixed Windows-specific issue related to analysing requirements * Fixed OS-specific unit tests * Requirements display the parent requirement if duplicate requirement names are present * Improvements in the requirements reporting * Fixed #2688 * [ci skip] prepare release 3.2.0 * [ci skip] prepare for next development iteration * Updated javadocs * Added release notes for version 3.2.0 * Update README.md * Updated release notes * Added Javadoc for shadow dom locators * Update README.md * Create codeql-analysis.yml * Delete codeql-analysis.yml * improve parallel support for JUnit5 tests * fix Junit Test Co-authored-by: John Ferguson Smart <john.smart@wakaleo.com> Co-authored-by: Serghei Pogodin <pogodin.serg@gmail.com> Co-authored-by: Serghei Pogodin <serghei.pogodin@rabobank.nl> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: ricardo larrahondo <ricardolarrahondo2@hotmail.com> Co-authored-by: zeners <zener@sbg.at> Co-authored-by: Keith Tremorin <thePantz@users.noreply.github.com> Co-authored-by: Keith <xxthePantzxx@gmail.com>

wakaleo added the enhancement label Jan 6, 2022

wakaleo closed this as completed in be0a46b Jan 23, 2022

hthakursalt mentioned this issue Jun 6, 2022

fix: passing the blacklisted headers list to the logging so it will be masked in logs #2838

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Serenity Rest - Blacklisted Request headers not masked in the console logs and report #2660

Serenity Rest - Blacklisted Request headers not masked in the console logs and report #2660

m-aster22 commented Jan 6, 2022

wakaleo commented Jan 6, 2022

Serenity Rest - Blacklisted Request headers not masked in the console logs and report #2660

Serenity Rest - Blacklisted Request headers not masked in the console logs and report #2660

Comments

m-aster22 commented Jan 6, 2022

wakaleo commented Jan 6, 2022