Merge pull request #75 from raphaelcruzeiro/master

siemensikkema · web-flow · commit 4f02ae4b0ace · 2020-10-09T08:17:51.000+02:00
Filter out sensitive data from the HTTP headers
diff --git a/Sources/Bugsnag/BugsnagReporter.swift b/Sources/Bugsnag/BugsnagReporter.swift
@@ -102,10 +102,21 @@ extension BugsnagReporter {
             } else {
                 eventRequestBody = nil
             }
+            
+            var headerDict: [String : Any] = request.headers.reduce(into: [:]) { result, value in
+                result[value.0] = value.1
+            }
+            strip(keys: configuration.keyFilters, from: &headerDict)
+
+            let filteredHeaders: [(String, String)] = headerDict.compactMap { k, v in
+                guard let value = v as? String else { return nil }
+                return (k, value)
+            }
+            
             eventRequest = .init(
                 body: eventRequestBody,
                 clientIp: request.headers.forwarded.first(where: { $0.for != nil })?.for ?? request.remoteAddress?.hostname,
-                headers: .init(uniqueKeysWithValues: request.headers.map { $0 }),
+                headers: .init(uniqueKeysWithValues: filteredHeaders),
                 httpMethod: request.method.string,
                 referer: "n/a",
                 url: request.url.string
diff --git a/Tests/BugsnagTests/BugsnagTests.swift b/Tests/BugsnagTests/BugsnagTests.swift
@@ -57,7 +57,7 @@ final class BugsnagTests: XCTestCase {
         app.bugsnag.configuration = .init(
             apiKey: "foo",
             releaseStage: "debug",
-            keyFilters: ["email", "password"]
+            keyFilters: ["email", "password", "Authorization"]
         )
         app.clients.use(.test)
 
@@ -90,7 +90,9 @@ final class BugsnagTests: XCTestCase {
                 application: app,
                 method: .POST,
                 url: "/test",
-                on: app.eventLoopGroup.next()
+                headers: [
+                    "Authorization": "Bearer SupErSecretT0ken!"
+                ], on: app.eventLoopGroup.next()
             )
             try request.content.encode(vapor)
             try request.bugsnag.report(Abort(.internalServerError, reason: "Oops")).wait()
@@ -103,13 +105,15 @@ final class BugsnagTests: XCTestCase {
                 User.self,
                 from: Data(payload.events[0].request!.body!.utf8)
             )
+            let headers = payload.events[0].request!.headers
             XCTAssertEqual(user.name, "Vapor")
             XCTAssertEqual(user.email, "<hidden>")
             XCTAssertEqual(user.password, "<hidden>")
             XCTAssertEqual(user.user?.name, "Swift")
             XCTAssertEqual(user.user?.email, "<hidden>")
             XCTAssertEqual(user.user?.password, "<hidden>")
             XCTAssertNil(user.user?.user)
+            XCTAssertEqual(headers["Authorization"], "<hidden>")
         }
     }
 
