Hide authorization header in httprequest debug output (#2953)

Co-authored-by: Nathan Shaaban <86252985+nshaaban-cPacket@users.noreply.github.com> Co-authored-by: Rob Ede <robjtede@icloud.com>
2025-01-18 22:01:50 +01:00 · 2023-07-19 18:51:17 +00:00 · 2023-07-19 18:51:17 +00:00 · 80185ce741
commit 80185ce741
parent 4272510261
2 changed files with 57 additions and 1 deletions
--- a/actix-web/CHANGES.md
+++ b/actix-web/CHANGES.md
@ -10,6 +10,7 @@
 ### Changed

 - Handler functions can now receive up to 16 extractor parameters.
+- Hide sensitive header values in `HttpRequest`'s `Debug` output.
 - Minimum supported Rust version (MSRV) is now 1.65 due to transitive `time` dependency.

 ## 4.3.1 - 2023-02-26
--- a/actix-web/src/request.rs
+++ b/actix-web/src/request.rs
@ -435,16 +435,28 @@ impl fmt::Debug for HttpRequest {
            self.inner.head.method,
            self.path()
        )?;
+
        if !self.query_string().is_empty() {
            writeln!(f, "  query: ?{:?}", self.query_string())?;
        }
+
        if !self.match_info().is_empty() {
            writeln!(f, "  params: {:?}", self.match_info())?;
        }
+
        writeln!(f, "  headers:")?;
+
        for (key, val) in self.headers().iter() {
-            writeln!(f, "    {:?}: {:?}", key, val)?;
+            match key {
+                // redact sensitive header values from debug output
+                &crate::http::header::AUTHORIZATION
+                | &crate::http::header::PROXY_AUTHORIZATION
+                | &crate::http::header::COOKIE => writeln!(f, "    {:?}: {:?}", key, "*redacted*")?,
+
+                _ => writeln!(f, "    {:?}: {:?}", key, val)?,
+            }
        }
+
        Ok(())
    }
 }
@ -908,4 +920,47 @@ mod tests {
        let body = read_body(bar_resp).await;
        assert_eq!(body, "http://localhost:8080/bar/nested");
    }
+
+    #[test]
+    fn authorization_header_hidden_in_debug() {
+        let authorization_header = "Basic bXkgdXNlcm5hbWU6bXkgcGFzc3dvcmQK";
+        let req = TestRequest::get()
+            .insert_header((crate::http::header::AUTHORIZATION, authorization_header))
+            .to_http_request();
+
+        assert!(!format!("{:?}", req).contains(authorization_header));
+    }
+
+    #[test]
+    fn proxy_authorization_header_hidden_in_debug() {
+        let proxy_authorization_header = "secret value";
+        let req = TestRequest::get()
+            .insert_header((
+                crate::http::header::PROXY_AUTHORIZATION,
+                proxy_authorization_header,
+            ))
+            .to_http_request();
+
+        assert!(!format!("{:?}", req).contains(proxy_authorization_header));
+    }
+
+    #[test]
+    fn cookie_header_hidden_in_debug() {
+        let cookie_header = "secret";
+        let req = TestRequest::get()
+            .insert_header((crate::http::header::COOKIE, cookie_header))
+            .to_http_request();
+
+        assert!(!format!("{:?}", req).contains(cookie_header));
+    }
+
+    #[test]
+    fn other_header_visible_in_debug() {
+        let location_header = "192.0.0.1";
+        let req = TestRequest::get()
+            .insert_header((crate::http::header::LOCATION, location_header))
+            .to_http_request();
+
+        assert!(format!("{:?}", req).contains(location_header));
+    }
 }