From 59cb593899ba0511b512079ec053ea347ec90cd1 Mon Sep 17 00:00:00 2001 From: Regen Van Walbeek Date: Mon, 16 Dec 2024 17:18:36 -0600 Subject: [PATCH 1/2] Don't log bytes / body in the error message --- lib/src/http/response_format_exception.dart | 10 +++------- test/unit/http/http_body_test.dart | 4 ++-- test/unit/http/response_format_exception_test.dart | 9 ++++++--- 3 files changed, 11 insertions(+), 12 deletions(-) diff --git a/lib/src/http/response_format_exception.dart b/lib/src/http/response_format_exception.dart index 8c2a5d99..dea1eeb1 100644 --- a/lib/src/http/response_format_exception.dart +++ b/lib/src/http/response_format_exception.dart @@ -34,25 +34,21 @@ class ResponseFormatException implements Exception { ResponseFormatException(this.contentType, this.encoding, {this.body, this.bytes}); - /// Descriptive error message that includes the content-type, encoding, as - /// well as the string or bytes that could not be encoded or decoded, - /// respectively. + /// Error message that includes the content-type an encoding String get message { String description; - String bodyLine; if (body != null) { description = 'Body could not be encoded.'; - bodyLine = 'Body: $body'; } else { description = 'Bytes could not be decoded.'; - bodyLine = 'Bytes: $bytes'; } String msg = description; final encodingName = encoding?.name ?? 'null'; msg += '\n\tContent-Type: $contentType'; msg += '\n\tEncoding: $encodingName'; - msg += '\n\t$bodyLine'; + // WARNING: Do not include `bytes` or `body` in the error message. It may contain + // sensitive information that we do not want logged. return msg; } diff --git a/test/unit/http/http_body_test.dart b/test/unit/http/http_body_test.dart index 3579d65e..046cb7b4 100644 --- a/test/unit/http/http_body_test.dart +++ b/test/unit/http/http_body_test.dart @@ -187,7 +187,7 @@ void main() { expect(exception.toString(), contains('Body could not be encoded')); expect(exception.toString(), contains('Content-Type: $contentType')); expect(exception.toString(), contains('Encoding: ${ascii.name}')); - expect(exception.toString(), contains('bodyçå®')); + expect(exception.toString(), isNot(contains('bodyçå®'))); }); test('should throw ResponseFormatException if bytes cannot be decoded', @@ -211,7 +211,7 @@ void main() { expect(exception.toString(), contains('Content-Type: $contentType')); expect(exception.toString(), contains('Encoding: ${ascii.name}')); expect( - exception.toString(), contains(utf8.encode('bodyçå®').toString())); + exception.toString(), isNot(contains(utf8.encode('bodyçå®')).toString())); }); }); diff --git a/test/unit/http/response_format_exception_test.dart b/test/unit/http/response_format_exception_test.dart index a003a0bd..587fea51 100644 --- a/test/unit/http/response_format_exception_test.dart +++ b/test/unit/http/response_format_exception_test.dart @@ -36,8 +36,9 @@ void main() { expect(exception.toString(), contains('Bytes could not be decoded')); expect(exception.toString(), contains('Content-Type: $contentType')); expect(exception.toString(), contains('Encoding: ${ascii.name}')); + // Do not log bytes, which may contain sensitive information expect( - exception.toString(), contains(utf8.encode('bodyçå®').toString())); + exception.toString(), isNot(contains(bytes).toString())); }); test('should detail why string could not be encoded', () { @@ -49,7 +50,8 @@ void main() { expect(exception.toString(), contains('Body could not be encoded')); expect(exception.toString(), contains('Content-Type: $contentType')); expect(exception.toString(), contains('Encoding: ${ascii.name}')); - expect(exception.toString(), contains('bodyçå®')); + // Do not log body, which may contain sensitive information + expect(exception.toString(), isNot(contains(body))); }); test('should warn if encoding is null', () { @@ -61,7 +63,8 @@ void main() { expect(exception.toString(), contains('Body could not be encoded')); expect(exception.toString(), contains('Content-Type: $contentType')); expect(exception.toString(), contains('Encoding: null')); - expect(exception.toString(), contains('bodyçå®')); + // Do not log body, which may contain sensitive information + expect(exception.toString(), isNot(contains(body))); }); }); }); From d59483c25ca8f6681b4e20c140b550bd4a0076c3 Mon Sep 17 00:00:00 2001 From: Regen Van Walbeek Date: Tue, 17 Dec 2024 08:36:05 -0600 Subject: [PATCH 2/2] Fix up formatting --- test/unit/http/http_body_test.dart | 4 ++-- test/unit/http/response_format_exception_test.dart | 3 +-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/test/unit/http/http_body_test.dart b/test/unit/http/http_body_test.dart index 046cb7b4..8fd70874 100644 --- a/test/unit/http/http_body_test.dart +++ b/test/unit/http/http_body_test.dart @@ -210,8 +210,8 @@ void main() { expect(exception.toString(), contains('Bytes could not be decoded')); expect(exception.toString(), contains('Content-Type: $contentType')); expect(exception.toString(), contains('Encoding: ${ascii.name}')); - expect( - exception.toString(), isNot(contains(utf8.encode('bodyçå®')).toString())); + expect(exception.toString(), + isNot(contains(utf8.encode('bodyçå®')).toString())); }); }); diff --git a/test/unit/http/response_format_exception_test.dart b/test/unit/http/response_format_exception_test.dart index 587fea51..11086287 100644 --- a/test/unit/http/response_format_exception_test.dart +++ b/test/unit/http/response_format_exception_test.dart @@ -37,8 +37,7 @@ void main() { expect(exception.toString(), contains('Content-Type: $contentType')); expect(exception.toString(), contains('Encoding: ${ascii.name}')); // Do not log bytes, which may contain sensitive information - expect( - exception.toString(), isNot(contains(bytes).toString())); + expect(exception.toString(), isNot(contains(bytes).toString())); }); test('should detail why string could not be encoded', () {