Merge pull request #535 from jbarbuto/sanitize_http_cookies

Modify http data string sanitizing to account for cookie delimiter

raven/processors.py

@@ -101,14 +101,27 @@ class SanitizePasswordsProcessor(Processor):
 
             if isinstance(data[n], six.string_types) and '=' in data[n]:
                 # at this point we've assumed it's a standard HTTP query
-                querybits = []
-                for bit in data[n].split('&'):
-                    chunk = bit.split('=')
-                    if len(chunk) == 2:
-                        querybits.append((chunk[0], self.sanitize(*chunk)))
-                    else:
-                        querybits.append(chunk)
+                # or cookie
+                if n == 'cookies':
+                    delimiter = ';'
+                else:
+                    delimiter = '&'
 
-                data[n] = '&'.join('='.join(k) for k in querybits)
+                data[n] = self._sanitize_keyvals(data[n], delimiter)
             else:
                 data[n] = varmap(self.sanitize, data[n])
+                if n == 'headers' and 'Cookie' in data[n]:
+                    data[n]['Cookie'] = self._sanitize_keyvals(
+                        data[n]['Cookie'], ';'
+                    )
+
+    def _sanitize_keyvals(self, keyvals, delimiter):
+        sanitized_keyvals = []
+        for keyval in keyvals.split(delimiter):
+            keyval = keyval.split('=')
+            if len(keyval) == 2:
+                sanitized_keyvals.append((keyval[0], self.sanitize(*keyval)))
+            else:
+                sanitized_keyvals.append(keyval)
+
+        return delimiter.join('='.join(keyval) for keyval in sanitized_keyvals)

tests/processors/tests.py

@@ -51,14 +51,13 @@ def get_http_data():
     data = get_stack_trace_data_real()
 
     data['request'] = {
-        'cookies': {},
+        'cookies': VARS,
         'data': VARS,
         'env': VARS,
         'headers': VARS,
         'method': 'GET',
         'query_string': '',
         'url': 'http://localhost/',
-        'cookies': VARS,
     }
     return data
 
@@ -145,6 +144,47 @@ class SanitizePasswordsProcessorTest(TestCase):
         http = result['request']
         self.assertEquals(http['query_string'], 'foo=bar&password&baz=bar' % dict(m=proc.MASK))
 
+    def test_cookie_as_string(self):
+        data = get_http_data()
+        data['request']['cookies'] = 'foo=bar;password=hello;the_secret=hello'\
+            ';a_password_here=hello;api_key=secret_key'
+
+        proc = SanitizePasswordsProcessor(Mock())
+        result = proc.process(data)
+
+        self.assertTrue('request' in result)
+        http = result['request']
+        self.assertEquals(
+            http['cookies'],
+            'foo=bar;password=%(m)s;the_secret=%(m)s'
+            ';a_password_here=%(m)s;api_key=%(m)s' % dict(m=proc.MASK))
+
+    def test_cookie_as_string_with_partials(self):
+        data = get_http_data()
+        data['request']['cookies'] = 'foo=bar;password;baz=bar'
+
+        proc = SanitizePasswordsProcessor(Mock())
+        result = proc.process(data)
+
+        self.assertTrue('request' in result)
+        http = result['request']
+        self.assertEquals(http['cookies'], 'foo=bar;password;baz=bar' % dict(m=proc.MASK))
+
+    def test_cookie_header(self):
+        data = get_http_data()
+        data['request']['headers']['Cookie'] = 'foo=bar;password=hello'\
+                ';the_secret=hello;a_password_here=hello;api_key=secret_key'
+
+        proc = SanitizePasswordsProcessor(Mock())
+        result = proc.process(data)
+
+        self.assertTrue('request' in result)
+        http = result['request']
+        self.assertEquals(
+            http['headers']['Cookie'],
+            'foo=bar;password=%(m)s'
+            ';the_secret=%(m)s;a_password_here=%(m)s;api_key=%(m)s' % dict(m=proc.MASK))
+
     def test_sanitize_credit_card(self):
         proc = SanitizePasswordsProcessor(Mock())
         result = proc.sanitize('foo', '4242424242424242')