actix/actix-web
1
0
Fork 0
mirror of https://github.com/fafhrd91/actix-web synced 2025-01-19 06:04:40 +01:00
Code Issues Releases Wiki Activity

Hide authorization header in httprequest debug output (#2953)

Browse Source 
Co-authored-by: Nathan Shaaban <86252985+nshaaban-cPacket@users.noreply.github.com>
Co-authored-by: Rob Ede <robjtede@icloud.com>
This commit is contained in:
Nathan Shaaban 2023-07-19 18:51:17 +00:00 committed by GitHub
parent 4272510261
commit 80185ce741
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 57 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
actix-web/CHANGES.md
View File

@ -10,6 +10,7 @@
### Changed ### Changed
- Handler functions can now receive up to 16 extractor parameters. - Handler functions can now receive up to 16 extractor parameters.
- Hide sensitive header values in `HttpRequest`'s `Debug` output.
- Minimum supported Rust version (MSRV) is now 1.65 due to transitive `time` dependency. - Minimum supported Rust version (MSRV) is now 1.65 due to transitive `time` dependency.
## 4.3.1 - 2023-02-26 ## 4.3.1 - 2023-02-26

57
actix-web/src/request.rs
View File

@ -435,16 +435,28 @@ impl fmt::Debug for HttpRequest {
self.inner.head.method, self.inner.head.method,
self.path() self.path()
)?; )?;
if !self.query_string().is_empty() { if !self.query_string().is_empty() {
writeln!(f, " query: ?{:?}", self.query_string())?; writeln!(f, " query: ?{:?}", self.query_string())?;
} }
if !self.match_info().is_empty() { if !self.match_info().is_empty() {
writeln!(f, " params: {:?}", self.match_info())?; writeln!(f, " params: {:?}", self.match_info())?;
} }
writeln!(f, " headers:")?; writeln!(f, " headers:")?;
for (key, val) in self.headers().iter() { for (key, val) in self.headers().iter() {
writeln!(f, " {:?}: {:?}", key, val)?; match key {
// redact sensitive header values from debug output
&crate::http::header::AUTHORIZATION
| &crate::http::header::PROXY_AUTHORIZATION
| &crate::http::header::COOKIE => writeln!(f, " {:?}: {:?}", key, "*redacted*")?,
_ => writeln!(f, " {:?}: {:?}", key, val)?,
}
} }
Ok(()) Ok(())
} }
} }
@ -908,4 +920,47 @@ mod tests {
let body = read_body(bar_resp).await; let body = read_body(bar_resp).await;
assert_eq!(body, "http://localhost:8080/bar/nested"); assert_eq!(body, "http://localhost:8080/bar/nested");
} }
#[test]
fn authorization_header_hidden_in_debug() {
let authorization_header = "Basic bXkgdXNlcm5hbWU6bXkgcGFzc3dvcmQK";
let req = TestRequest::get()
.insert_header((crate::http::header::AUTHORIZATION, authorization_header))
.to_http_request();
assert!(!format!("{:?}", req).contains(authorization_header));
}
#[test]
fn proxy_authorization_header_hidden_in_debug() {
let proxy_authorization_header = "secret value";
let req = TestRequest::get()
.insert_header((
crate::http::header::PROXY_AUTHORIZATION,
proxy_authorization_header,
))
.to_http_request();
assert!(!format!("{:?}", req).contains(proxy_authorization_header));
}
#[test]
fn cookie_header_hidden_in_debug() {
let cookie_header = "secret";
let req = TestRequest::get()
.insert_header((crate::http::header::COOKIE, cookie_header))
.to_http_request();
assert!(!format!("{:?}", req).contains(cookie_header));
}
#[test]
fn other_header_visible_in_debug() {
let location_header = "192.0.0.1";
let req = TestRequest::get()
.insert_header((crate::http::header::LOCATION, location_header))
.to_http_request();
assert!(format!("{:?}", req).contains(location_header));
}
} }