-
-
Notifications
You must be signed in to change notification settings - Fork 451
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add a processor to sanitize the HTTP headers
- Loading branch information
Showing
5 changed files
with
170 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
<?php | ||
|
||
/* | ||
* This file is part of Raven. | ||
* | ||
* (c) Sentry Team | ||
* | ||
* For the full copyright and license information, please view the LICENSE | ||
* file that was distributed with this source code. | ||
*/ | ||
|
||
/** | ||
* This processor sanitizes the configured HTTP headers to ensure no sensitive | ||
* informations are sent to the server. | ||
* | ||
* @author Stefano Arlandini <[email protected]> | ||
*/ | ||
final class Raven_Processor_SanitizeHttpHeadersProcessor extends Raven_Processor | ||
{ | ||
/** | ||
* @var string[] $httpHeadersToSanitize The list of HTTP headers to sanitize | ||
*/ | ||
private $httpHeadersToSanitize; | ||
|
||
/** | ||
* {@inheritdoc} | ||
*/ | ||
public function __construct(Raven_Client $client) | ||
{ | ||
parent::__construct($client); | ||
|
||
$this->httpHeadersToSanitize = array_merge($this->getDefaultHeaders(), $client->getSanitizeHttpHeaders()); | ||
} | ||
|
||
/** | ||
* {@inheritdoc} | ||
*/ | ||
public function process(&$data) | ||
{ | ||
if (isset($data['request']) && isset($data['request']['headers'])) { | ||
foreach ($data['request']['headers'] as $header => &$value) { | ||
if (in_array($header, $this->httpHeadersToSanitize)) { | ||
$value = self::STRING_MASK; | ||
} | ||
} | ||
} | ||
} | ||
|
||
/** | ||
* Gets the list of default headers that must be sanitized. | ||
* | ||
* @return string[] | ||
*/ | ||
private function getDefaultHeaders() | ||
{ | ||
return array('Authorization', 'Proxy-Authorization', 'X-Csrf-Token', 'X-CSRFToken', 'X-XSRF-TOKEN'); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
84 changes: 84 additions & 0 deletions
84
test/Raven/Tests/Processor/SanitizeHttpHeadersProcessorTest.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
<?php | ||
|
||
/* | ||
* This file is part of Raven. | ||
* | ||
* (c) Sentry Team | ||
* | ||
* For the full copyright and license information, please view the LICENSE | ||
* file that was distributed with this source code. | ||
*/ | ||
|
||
class Raven_SanitizeHttpHeadersProcessorTest extends \PHPUnit_Framework_TestCase | ||
{ | ||
/** | ||
* @var \Raven_Processor_SanitizeHttpHeadersProcessor|\PHPUnit_Framework_MockObject_MockObject | ||
*/ | ||
protected $processor; | ||
|
||
protected function setUp() | ||
{ | ||
/** @var \Raven_Client|\PHPUnit_Framework_MockObject_MockObject $client */ | ||
$client = $this->getMockBuilder('\Raven_Client') | ||
->disableOriginalConstructor() | ||
->getMock(); | ||
|
||
$client->expects($this->once()) | ||
->method('getSanitizeHttpHeaders') | ||
->willReturn(array('User-Defined-Header')); | ||
|
||
$this->processor = new Raven_Processor_SanitizeHttpHeadersProcessor($client); | ||
} | ||
|
||
/** | ||
* @dataProvider processDataProvider | ||
*/ | ||
public function testProcess($inputData, $expectedData) | ||
{ | ||
$this->processor->process($inputData); | ||
|
||
$this->assertArraySubset($expectedData, $inputData); | ||
} | ||
|
||
public function processDataProvider() | ||
{ | ||
return array( | ||
array( | ||
array( | ||
'request' => array( | ||
'headers' => array( | ||
'Authorization' => 'foo', | ||
'AnotherHeader' => 'bar', | ||
), | ||
), | ||
), | ||
array( | ||
'request' => array( | ||
'headers' => array( | ||
'Authorization' => Raven_Processor::STRING_MASK, | ||
'AnotherHeader' => 'bar', | ||
), | ||
), | ||
), | ||
), | ||
array( | ||
array( | ||
'request' => array( | ||
'headers' => array( | ||
'User-Defined-Header' => 'foo', | ||
'AnotherHeader' => 'bar', | ||
), | ||
), | ||
), | ||
array( | ||
'request' => array( | ||
'headers' => array( | ||
'User-Defined-Header' => Raven_Processor::STRING_MASK, | ||
'AnotherHeader' => 'bar', | ||
), | ||
), | ||
), | ||
), | ||
); | ||
} | ||
} |