Using the keyFilters parameter of the Bugsnag configuration to filter…

… out sensitive data from the request headers. Fixes #74
ml-archive · Oct 3, 2020 · 9eada43 · 9eada43
1 parent 0e32f80
commit 9eada43
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 3 deletions.
diff --git a/Sources/Bugsnag/BugsnagReporter.swift b/Sources/Bugsnag/BugsnagReporter.swift
@@ -102,10 +102,22 @@ extension BugsnagReporter {
             } else {
                 eventRequestBody = nil
             }
+
+            var headerDict: [String : Any] = request.headers.reduce([:], { result, value in
+                var copy = result
+                copy[value.0] = value.1
+                return copy
+            })
+            strip(keys: configuration.keyFilters, from: &headerDict)
+
+            let filteredHeaders: [(String, String)] = headerDict.map {
+                k, v in (k, v as! String)
+            }
+
             eventRequest = .init(
                 body: eventRequestBody,
                 clientIp: request.headers.forwarded.first(where: { $0.for != nil })?.for ?? request.remoteAddress?.hostname,
-                headers: .init(uniqueKeysWithValues: request.headers.map { $0 }),
+                headers: .init(uniqueKeysWithValues: filteredHeaders),
                 httpMethod: request.method.string,
                 referer: "n/a",
                 url: request.url.string

diff --git a/Tests/BugsnagTests/BugsnagTests.swift b/Tests/BugsnagTests/BugsnagTests.swift
@@ -57,7 +57,7 @@ final class BugsnagTests: XCTestCase {
         app.bugsnag.configuration = .init(
             apiKey: "foo",
             releaseStage: "debug",
-            keyFilters: ["email", "password"]
+            keyFilters: ["email", "password", "Authorization"]
         )
         app.clients.use(.test)
 
@@ -90,7 +90,9 @@ final class BugsnagTests: XCTestCase {
                 application: app,
                 method: .POST,
                 url: "/test",
-                on: app.eventLoopGroup.next()
+                headers: [
+                    "Authorization": "Bearer SupErSecretT0ken!"
+                ], on: app.eventLoopGroup.next()
             )
             try request.content.encode(vapor)
             try request.bugsnag.report(Abort(.internalServerError, reason: "Oops")).wait()
@@ -103,13 +105,15 @@ final class BugsnagTests: XCTestCase {
                 User.self,
                 from: Data(payload.events[0].request!.body!.utf8)
             )
+            let headers = payload.events[0].request!.headers
             XCTAssertEqual(user.name, "Vapor")
             XCTAssertEqual(user.email, "<hidden>")
             XCTAssertEqual(user.password, "<hidden>")
             XCTAssertEqual(user.user?.name, "Swift")
             XCTAssertEqual(user.user?.email, "<hidden>")
             XCTAssertEqual(user.user?.password, "<hidden>")
             XCTAssertNil(user.user?.user)
+            XCTAssertEqual(headers["Authorization"], "<hidden>")
         }
     }