fix(HTTP Request Node): Sanitize authorization headers (#10607)

2024-10-06 09:37:36 +03:00 · 2024-08-29 15:28:03 +01:00 · 2024-08-29 15:28:03 +01:00 · 405c55a1f7
commit 405c55a1f7
parent c4eb3746d7
2 changed files with 80 additions and 0 deletions
--- a/packages/nodes-base/nodes/HttpRequest/GenericFunctions.ts
+++ b/packages/nodes-base/nodes/HttpRequest/GenericFunctions.ts
@ -88,7 +88,24 @@ export function sanitizeUiMessage(
 			),
 		};
 	}
+	const HEADER_BLOCKLIST = new Set([
+		'authorization',
+		'x-api-key',
+		'x-auth-token',
+		'cookie',
+		'proxy-authorization',
+		'sslclientcert',
+	]);

+	const headers = sendRequest.headers as IDataObject;
+
+	if (headers) {
+		for (const headerName of Object.keys(headers)) {
+			if (HEADER_BLOCKLIST.has(headerName.toLowerCase())) {
+				headers[headerName] = REDACTED;
+			}
+		}
+	}
 	if (secrets && secrets.length > 0) {
 		return redact(sendRequest, secrets);
 	}
--- a/packages/nodes-base/nodes/HttpRequest/test/utils/utils.test.ts
+++ b/packages/nodes-base/nodes/HttpRequest/test/utils/utils.test.ts
@ -136,5 +136,68 @@ describe('HTTP Node Utils', () => {
 				uri: 'https://example.com',
 			});
 		});
+
+		const headersToTest = [
+			'authorization',
+			'x-api-key',
+			'x-auth-token',
+			'cookie',
+			'proxy-authorization',
+			'sslclientcert',
+		];
+
+		headersToTest.forEach((header) => {
+			it(`should redact the ${header} header when the key is lowercase`, () => {
+				const requestOptions: IRequestOptions = {
+					method: 'POST',
+					uri: 'https://example.com',
+					body: { sessionToken: 'secret', other: 'foo' },
+					headers: { [header]: 'some-sensitive-token', other: 'foo' },
+					auth: { user: 'user', password: 'secret' },
+				};
+
+				const sanitizedRequest = sanitizeUiMessage(requestOptions, {});
+
+				expect(sanitizedRequest.headers).toEqual({ [header]: REDACTED, other: 'foo' });
+			});
+
+			it(`should redact the ${header} header when the key is uppercase`, () => {
+				const requestOptions: IRequestOptions = {
+					method: 'POST',
+					uri: 'https://example.com',
+					body: { sessionToken: 'secret', other: 'foo' },
+					headers: { [header.toUpperCase()]: 'some-sensitive-token', other: 'foo' },
+					auth: { user: 'user', password: 'secret' },
+				};
+
+				const sanitizedRequest = sanitizeUiMessage(requestOptions, {});
+
+				expect(sanitizedRequest.headers).toEqual({
+					[header.toUpperCase()]: REDACTED,
+					other: 'foo',
+				});
+			});
+		});
+
+		it('should leave headers unchanged if Authorization header is not present', () => {
+			const requestOptions: IRequestOptions = {
+				method: 'POST',
+				uri: 'https://example.com',
+				body: { sessionToken: 'secret', other: 'foo' },
+				headers: { other: 'foo' },
+				auth: { user: 'user', password: 'secret' },
+			};
+			const sanitizedRequest = sanitizeUiMessage(requestOptions, {});
+
+			expect(sanitizedRequest.headers).toEqual({ other: 'foo' });
+		});
+
+		it('should handle case when headers are undefined', () => {
+			const requestOptions: IRequestOptions = {};
+
+			const sanitizedRequest = sanitizeUiMessage(requestOptions, {});
+
+			expect(sanitizedRequest.headers).toBeUndefined();
+		});
 	});
 });