Skip to content

Commit

Permalink
Fix Request.toString leaking sensitive headers. (#7458)
Browse files Browse the repository at this point in the history
  • Loading branch information
@okiolover
okiolover authored Oct 16, 2022
1 parent 96e1f9a commit 6e5dfe7
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 1 deletion.
3 changes: 2 additions & 1 deletion okhttp/src/jvmMain/kotlin/okhttp3/Request.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ import okhttp3.internal.commonPost
import okhttp3.internal.commonPut
import okhttp3.internal.commonRemoveHeader
import okhttp3.internal.commonTag
import okhttp3.internal.isSensitiveHeader

actual class Request internal actual constructor(builder: Builder) {
@get:JvmName("url")
Expand Down Expand Up @@ -166,7 +167,7 @@ actual class Request internal actual constructor(builder: Builder) {
}
append(name)
append(':')
append(value)
append(if (isSensitiveHeader(name)) "██" else value)
}
append(']')
}
Expand Down
26 changes: 26 additions & 0 deletions okhttp/src/jvmTest/java/okhttp3/RequestTest.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -489,6 +489,32 @@ class RequestTest {
assertThat(requestB.tag(String::class.java)).isSameAs("b")
assertThat(requestC.tag(String::class.java)).isSameAs("c")
}

@Test
fun requestToStringRedactsSensitiveHeaders() {
val headers = Headers.Builder()
.add("content-length", "99")
.add("authorization", "peanutbutter")
.add("proxy-authorization", "chocolate")
.add("cookie", "drink=coffee")
.add("set-cookie", "accessory=sugar")
.add("user-agent", "OkHttp")
.build()
val request = Request(
"https://square.com".toHttpUrl(),
headers
)
assertThat(request.toString()).isEqualTo(
"Request{method=GET, url=https://square.com/, headers=[" +
"content-length:99," +
" authorization:██," +
" proxy-authorization:██," +
" cookie:██," +
" set-cookie:██," +
" user-agent:OkHttp" +
"]}"
)
}

private fun bodyToHex(body: RequestBody): String {
val buffer = Buffer()
Expand Down

0 comments on commit 6e5dfe7

Please sign in to comment.