Merge pull request #535 from jbarbuto/sanitize_http_cookies
Modify http data string sanitizing to account for cookie delimiter
This commit is contained in:
commit
1e893c9fea
|
@ -101,14 +101,27 @@ class SanitizePasswordsProcessor(Processor):
|
|||
|
||||
if isinstance(data[n], six.string_types) and '=' in data[n]:
|
||||
# at this point we've assumed it's a standard HTTP query
|
||||
querybits = []
|
||||
for bit in data[n].split('&'):
|
||||
chunk = bit.split('=')
|
||||
if len(chunk) == 2:
|
||||
querybits.append((chunk[0], self.sanitize(*chunk)))
|
||||
else:
|
||||
querybits.append(chunk)
|
||||
# or cookie
|
||||
if n == 'cookies':
|
||||
delimiter = ';'
|
||||
else:
|
||||
delimiter = '&'
|
||||
|
||||
data[n] = '&'.join('='.join(k) for k in querybits)
|
||||
data[n] = self._sanitize_keyvals(data[n], delimiter)
|
||||
else:
|
||||
data[n] = varmap(self.sanitize, data[n])
|
||||
if n == 'headers' and 'Cookie' in data[n]:
|
||||
data[n]['Cookie'] = self._sanitize_keyvals(
|
||||
data[n]['Cookie'], ';'
|
||||
)
|
||||
|
||||
def _sanitize_keyvals(self, keyvals, delimiter):
|
||||
sanitized_keyvals = []
|
||||
for keyval in keyvals.split(delimiter):
|
||||
keyval = keyval.split('=')
|
||||
if len(keyval) == 2:
|
||||
sanitized_keyvals.append((keyval[0], self.sanitize(*keyval)))
|
||||
else:
|
||||
sanitized_keyvals.append(keyval)
|
||||
|
||||
return delimiter.join('='.join(keyval) for keyval in sanitized_keyvals)
|
||||
|
|
|
@ -51,14 +51,13 @@ def get_http_data():
|
|||
data = get_stack_trace_data_real()
|
||||
|
||||
data['request'] = {
|
||||
'cookies': {},
|
||||
'cookies': VARS,
|
||||
'data': VARS,
|
||||
'env': VARS,
|
||||
'headers': VARS,
|
||||
'method': 'GET',
|
||||
'query_string': '',
|
||||
'url': 'http://localhost/',
|
||||
'cookies': VARS,
|
||||
}
|
||||
return data
|
||||
|
||||
|
@ -145,6 +144,47 @@ class SanitizePasswordsProcessorTest(TestCase):
|
|||
http = result['request']
|
||||
self.assertEquals(http['query_string'], 'foo=bar&password&baz=bar' % dict(m=proc.MASK))
|
||||
|
||||
def test_cookie_as_string(self):
|
||||
data = get_http_data()
|
||||
data['request']['cookies'] = 'foo=bar;password=hello;the_secret=hello'\
|
||||
';a_password_here=hello;api_key=secret_key'
|
||||
|
||||
proc = SanitizePasswordsProcessor(Mock())
|
||||
result = proc.process(data)
|
||||
|
||||
self.assertTrue('request' in result)
|
||||
http = result['request']
|
||||
self.assertEquals(
|
||||
http['cookies'],
|
||||
'foo=bar;password=%(m)s;the_secret=%(m)s'
|
||||
';a_password_here=%(m)s;api_key=%(m)s' % dict(m=proc.MASK))
|
||||
|
||||
def test_cookie_as_string_with_partials(self):
|
||||
data = get_http_data()
|
||||
data['request']['cookies'] = 'foo=bar;password;baz=bar'
|
||||
|
||||
proc = SanitizePasswordsProcessor(Mock())
|
||||
result = proc.process(data)
|
||||
|
||||
self.assertTrue('request' in result)
|
||||
http = result['request']
|
||||
self.assertEquals(http['cookies'], 'foo=bar;password;baz=bar' % dict(m=proc.MASK))
|
||||
|
||||
def test_cookie_header(self):
|
||||
data = get_http_data()
|
||||
data['request']['headers']['Cookie'] = 'foo=bar;password=hello'\
|
||||
';the_secret=hello;a_password_here=hello;api_key=secret_key'
|
||||
|
||||
proc = SanitizePasswordsProcessor(Mock())
|
||||
result = proc.process(data)
|
||||
|
||||
self.assertTrue('request' in result)
|
||||
http = result['request']
|
||||
self.assertEquals(
|
||||
http['headers']['Cookie'],
|
||||
'foo=bar;password=%(m)s'
|
||||
';the_secret=%(m)s;a_password_here=%(m)s;api_key=%(m)s' % dict(m=proc.MASK))
|
||||
|
||||
def test_sanitize_credit_card(self):
|
||||
proc = SanitizePasswordsProcessor(Mock())
|
||||
result = proc.sanitize('foo', '4242424242424242')
|
||||
|
|
Loading…
Reference in New Issue