Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sanitize request headers like other metadata fields #104

Merged
merged 1 commit into from
Mar 18, 2019
Merged

Sanitize request headers like other metadata fields #104

merged 1 commit into from
Mar 18, 2019

Conversation

tgwizard
Copy link
Contributor

@tgwizard tgwizard commented Mar 15, 2019
edited by kinbiko
Loading

Goal

Make sure that all data sanitization using Config.ParamsFilters behaves the same. the ParamsFilters slice should contain "sensitive substrings", so if a key contains any of the ParamsFilters, it should be considered sensitive.

This is already the case in the metadata sanitizer:

bugsnag-go/metadata.go

Lines 185 to 192 in 834d8fe

func (s sanitizer) shouldRedact(key string) bool {
for _, filter := range s.Filters {
if strings.Contains(strings.ToLower(key), strings.ToLower(filter)) {
return true
}
}
return false
}

Design

Why was this approach to the goal used?

Use the same string.Contains logic also for request headers. Makes sure to filter heades like Set-Cookie or X-Service-Secret.

Changeset

Changed

Changed request_extractor.contains.

Tests

Updated the corresponding test case.

Discussion

Alternative Approaches

Outstanding Questions

Linked issues

Review

For the submitter, initial self-review:

  • Commented on code changes inline explain the reasoning behind the approach
  • Reviewed the test cases added for completeness and possible points for discussion
  • A changelog entry was added for the goal of this pull request
  • Check the scope of the changeset - is everything in the diff required for the pull request?
  • This pull request is ready for:
    • Initial review of the intended approach, not yet feature complete
    • Structural review of the classes, functions, and properties modified
    • Final review

For the pull request reviewer(s), this changeset has been reviewed for:

  • Consistency across platforms for structures or concepts added or modified
  • Consistency between the changeset and the goal stated above
  • Internal consistency with the rest of the library - is there any overlap between existing interfaces and any which have been added?
  • Usage friction - is the proposed change in usage cumbersome or complicated?
  • Performance and complexity - are there any cases of unexpected O(n^3) when iterating, recursing, flat mapping, etc?
  • Concurrency concerns - if components are accessed asynchronously, what issues will arise
  • Thoroughness of added tests and any missing edge cases
  • Idiomatic use of the language

@tgwizard
Copy link
Contributor Author

I think the test failures are unrelated to my change.

@tgwizard
Copy link
Contributor Author

Bump - please have a look. This PR is rather small (a one-line change, or two lines if you count the test).

@kinbiko
Copy link
Contributor

kinbiko commented Mar 18, 2019

Hi @tgwizard,

Thanks for submitting this. Looks like a reasonable change. I'll merge it into the release-branch for the next release.

@kinbiko kinbiko self-requested a review March 18, 2019 10:29
@kinbiko kinbiko changed the base branch from master to release-v1.4.1 March 18, 2019 10:30
@kinbiko kinbiko merged commit ddf27c4 into bugsnag:release-v1.4.1 Mar 18, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kinbiko kinbiko Awaiting requested review from kinbiko

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tgwizard @kinbiko