From f102c735334b64c85e48e0bf102e5a57ab5dc6e4 Mon Sep 17 00:00:00 2001 From: Joe Haines Date: Tue, 16 Jan 2024 12:08:59 +0000 Subject: [PATCH 1/2] Filter invalid URLs with query strings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As reported in #810, we don't handle invalid URLs in clean_url so raise if the URL isn't valid If the URL doesn't have a query string then it's not important that it fails validation and so we can return it as-is If the URL does have a query string and cannot be parsed, we can't redact parameters individually and so redact the whole query string instead — this way the URL could still be useful and we don't risk leaking sensitive data --- CHANGELOG.md | 7 +++++++ lib/bugsnag/cleaner.rb | 10 +++++++++- spec/cleaner_spec.rb | 12 ++++++++++++ 3 files changed, 28 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4932a8c8..812c4ff9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,13 @@ Changelog ========= +## TBD + +### Fixes + +* Fix unhandled `URI::InvalidURIError` in `Cleaner#clean_url` + | [#811](https://github.com/bugsnag/bugsnag-ruby/pull/811) + ## v6.26.1 (9 January 2024) ### Fixes diff --git a/lib/bugsnag/cleaner.rb b/lib/bugsnag/cleaner.rb index 75b7383c..600ba8e1 100644 --- a/lib/bugsnag/cleaner.rb +++ b/lib/bugsnag/cleaner.rb @@ -26,8 +26,16 @@ def clean_object(object) # @return [String] def clean_url(url) return url if @configuration.meta_data_filters.empty? && @configuration.redacted_keys.empty? + return url unless url.include?('?') + + begin + uri = URI(url) + rescue URI::InvalidURIError + pre_query_string, _query_string = url.split('?', 2) + + return "#{pre_query_string}?#{FILTERED}" + end - uri = URI(url) return url unless uri.query query_params = uri.query.split('&').map { |pair| pair.split('=') } diff --git a/spec/cleaner_spec.rb b/spec/cleaner_spec.rb index df33c449..f6908dbe 100644 --- a/spec/cleaner_spec.rb +++ b/spec/cleaner_spec.rb @@ -540,5 +540,17 @@ def to_s let(:url) { "https://host.example/sessions?access_token=abc123" } it { should eq "https://host.example/sessions?access_token=[FILTERED]" } end + + context "with an invalid URL" do + let(:filters) { [/token/] } + let(:url) { "https://host.example/a b c d e f g?access_token=abc123&password=secret&token2=xyz987" } + it { should eq "https://host.example/a b c d e f g?[FILTERED]" } + end + + context "with an invalid URL and no query string" do + let(:filters) { [/token/] } + let(:url) { "https://host.example/a b c d e f g" } + it { should eq "https://host.example/a b c d e f g" } + end end end From 32d8e4c32cdb32dac18afe4fef9641f5cd266c41 Mon Sep 17 00:00:00 2001 From: Joe Haines Date: Tue, 16 Jan 2024 12:08:48 +0000 Subject: [PATCH 2/2] Bump version --- CHANGELOG.md | 2 +- VERSION | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 812c4ff9..37fd688d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,7 @@ Changelog ========= -## TBD +## v6.26.2 (17 January 2024) ### Fixes diff --git a/VERSION b/VERSION index 0e10c8e2..dde9f42f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -6.26.1 +6.26.2