obfuscate authorization header by default

soos-io · Feb 2, 2024 · cc5f50b · cc5f50b
1 parent 8521ea9
commit cc5f50b
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 15 deletions.
diff --git a/src/index.ts b/src/index.ts
@@ -19,7 +19,7 @@ import {
   IntegrationType,
 } from "@soos-io/api-client";
 import { version } from "../package.json";
-import { ZAPCommandGenerator } from "./utilities";
+import { ZAPCommandGenerator, ZAPReportTransformer } from "./utilities";
 import AnalysisService from "@soos-io/api-client/dist/services/AnalysisService";
 import AnalysisArgumentParser, {
   IBaseScanArguments,
@@ -324,23 +324,12 @@ class SOOSDASTAnalysis {
       const runSuccess = fs.existsSync(SOOS_DAST_CONSTANTS.Files.ReportScanResultFile);
       soosLogger.info(`Scan finished with success: ${runSuccess}`);
 
-      const discoveredUrls =
-        fs.existsSync(SOOS_DAST_CONSTANTS.Files.SpideredUrlsFile) &&
-        fs.statSync(SOOS_DAST_CONSTANTS.Files.SpideredUrlsFile).isFile()
-          ? fs
-              .readFileSync(SOOS_DAST_CONSTANTS.Files.SpideredUrlsFile, "utf-8")
-              .split("\n")
-              .filter((url) => url.trim() !== "")
-          : [];
-
       const data = JSON.parse(
         fs.readFileSync(SOOS_DAST_CONSTANTS.Files.ReportScanResultFile, "utf-8"),
       );
-      data["discoveredUrls"] = discoveredUrls;
-      fs.writeFileSync(
-        SOOS_DAST_CONSTANTS.Files.ReportScanResultFile,
-        JSON.stringify(data, null, 4),
-      );
+
+      ZAPReportTransformer.transformReport();
+
       const formData = new FormData();
 
       formData.append("resultVersion", data["@version"]);

diff --git a/src/utilities/ZAPReportTransformer.ts b/src/utilities/ZAPReportTransformer.ts
@@ -0,0 +1,51 @@
+import * as fs from "fs";
+import { SOOS_DAST_CONSTANTS } from "../constants";
+
+export class ZAPReportTransformer {
+  // TODO - PA-12868 Rework this approach
+  public static transformReport(): void {
+    const reportData = JSON.parse(
+      fs.readFileSync(SOOS_DAST_CONSTANTS.Files.ReportScanResultFile, "utf-8"),
+    );
+
+    this.addDiscoveredUrls(reportData);
+    this.obfuscateFields(reportData);
+    this.saveReportContent(reportData);
+  }
+
+  public static addDiscoveredUrls(reportData: any): void {
+    const discoveredUrls =
+      fs.existsSync(SOOS_DAST_CONSTANTS.Files.SpideredUrlsFile) &&
+      fs.statSync(SOOS_DAST_CONSTANTS.Files.SpideredUrlsFile).isFile()
+        ? fs
+            .readFileSync(SOOS_DAST_CONSTANTS.Files.SpideredUrlsFile, "utf-8")
+            .split("\n")
+            .filter((url) => url.trim() !== "")
+        : [];
+
+    reportData["discoveredUrls"] = discoveredUrls;
+  }
+
+  public static obfuscateFields(reportData: any): void {
+    for (let key in reportData) {
+      if (typeof reportData[key] === "object" && reportData[key] !== null) {
+        this.obfuscateFields(reportData[key]);
+      } else {
+        if (key === "request-header") {
+          reportData[key] = this.obfuscateBearerToken(reportData[key]);
+        }
+      }
+    }
+  }
+
+  private static obfuscateBearerToken(field: string): string {
+    return field.replace(/(Authorization:\s*)[^\r\n]+/, "$1****");
+  }
+
+  private static saveReportContent = (reportData: any) => {
+    fs.writeFileSync(
+      SOOS_DAST_CONSTANTS.Files.ReportScanResultFile,
+      JSON.stringify(reportData, null, 4),
+    );
+  };
+}
diff --git a/src/utilities/index.ts b/src/utilities/index.ts
@@ -1 +1,2 @@
 export * from "./ZAPCommandGenerator";
+export * from "./ZAPReportTransformer";