From bc1165be465843033ed305e037238d6e09a7885c Mon Sep 17 00:00:00 2001 From: Henry Heino <46334387+personalizedrefrigerator@users.noreply.github.com> Date: Thu, 18 Jan 2024 03:20:33 -0800 Subject: [PATCH] Desktop,Mobile,Cli: Resolves #9706: Don't log OneDrive `Authorization` tokens (#9707) --- .eslintignore | 1 + .gitignore | 1 + packages/lib/onedrive-api.test.ts | 19 ++++++++++++++++ packages/lib/onedrive-api.ts | 36 ++++++++++++++++++++++++++++++- 4 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 packages/lib/onedrive-api.test.ts diff --git a/.eslintignore b/.eslintignore index e273bd91b..8f936e72e 100644 --- a/.eslintignore +++ b/.eslintignore @@ -740,6 +740,7 @@ packages/lib/models/utils/userData.test.js packages/lib/models/utils/userData.js packages/lib/net-utils.js packages/lib/ntp.js +packages/lib/onedrive-api.test.js packages/lib/onedrive-api.js packages/lib/path-utils.js packages/lib/reducer.js diff --git a/.gitignore b/.gitignore index bb467bccf..6763ede60 100644 --- a/.gitignore +++ b/.gitignore @@ -720,6 +720,7 @@ packages/lib/models/utils/userData.test.js packages/lib/models/utils/userData.js packages/lib/net-utils.js packages/lib/ntp.js +packages/lib/onedrive-api.test.js packages/lib/onedrive-api.js packages/lib/path-utils.js packages/lib/reducer.js diff --git a/packages/lib/onedrive-api.test.ts b/packages/lib/onedrive-api.test.ts new file mode 100644 index 000000000..413ca7a12 --- /dev/null +++ b/packages/lib/onedrive-api.test.ts @@ -0,0 +1,19 @@ +import OneDriveApi from './onedrive-api'; + +describe('onedrive-api', () => { + test.each([ + [{ Authorization: 'testing' }, { Authorization: '[[DELETED]]' }], + [{ headers: { Authorization: 'testing' } }, { headers: { Authorization: '[[DELETED]]' } }], + [ + { foo: { Authorization: 'testing', bar: 'test' }, baz: 'test2', Authorization: 'testing' }, + { foo: { Authorization: '[[DELETED]]', bar: 'test' }, baz: 'test2', Authorization: '[[DELETED]]' }, + ], + [ + { a: { b: { c: { d: { e: { f: { g: 'Test' } } } }, Authorization: 'bearer someidhere' } } }, + { a: { b: { c: { d: { e: { f: '[[depth-exceeded]]' } } }, Authorization: '[[DELETED]]' } } }, + ], + ])('authorizationTokenRemoved should remove Authorization field', (object, expected) => { + const api = new OneDriveApi('testID', 'secret', true); + expect(api.authorizationTokenRemoved(object)).toMatchObject(expected); + }); +}); diff --git a/packages/lib/onedrive-api.ts b/packages/lib/onedrive-api.ts index ee7ed5a5d..e9a61d42b 100644 --- a/packages/lib/onedrive-api.ts +++ b/packages/lib/onedrive-api.ts @@ -228,6 +228,34 @@ export default class OneDriveApi { } } + // Takes an object in the form + // { headers: { Authorization: "token here" } } + // or + // { Authorization: "token here" } + // Intended to be used for before logging objects that could potentially have an + // Authorization token. + public authorizationTokenRemoved(data: any, depth = 0) { + const newData: any = {}; + + if (!data || typeof data !== 'object') { + return data; + } + + if (depth > 5) { + return '[[depth-exceeded]]'; + } + + for (const key in data) { + if (key === 'Authorization') { + newData[key] = '[[DELETED]]'; + } else { + newData[key] = this.authorizationTokenRemoved(data[key], depth + 1); + } + } + + return newData; + } + public async exec(method: string, path: string, query: any = null, data: any = null, options: any = null) { if (!path) throw new Error('Path is required'); @@ -363,7 +391,13 @@ export default class OneDriveApi { // Deleting a non-existing item is ok - noop return; } else { - error.request = `${method} ${url} ${JSON.stringify(query)} ${JSON.stringify(data)} ${JSON.stringify(options)}`; + error.request = [ + method, + url, + JSON.stringify(query), + JSON.stringify(this.authorizationTokenRemoved(data)), + JSON.stringify(this.authorizationTokenRemoved(options)), + ].join(' '); error.headers = await response.headers; throw error; }