Mask sensitive fields on http urls

zeplin · Jan 17, 2020 · a0530c8 · a0530c8
1 parent 4a4d555
commit a0530c8
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 8 deletions.
diff --git a/src/api/index.ts b/src/api/index.ts
@@ -50,7 +50,7 @@ export class ZeplinApi {
                 validateStatus: (status: number): boolean => status === MOVED_TEMPORARILY
             });
 
-            const [, responseQueryParams] = response.data.split("?");
+            const [, responseQueryParams] = response.headers.location.split("?");
 
             const responseParams = new URLSearchParams(responseQueryParams);
 

diff --git a/src/api/interceptors.ts b/src/api/interceptors.ts
@@ -1,14 +1,38 @@
 import { AxiosRequestConfig, AxiosResponse } from "axios";
 import maskJson from "mask-json";
 import logger from "../util/logger";
+import { URL } from "url";
+import { MOVED_TEMPORARILY } from "http-status-codes";
 
-const blacklist = ["password", "Zeplin-Access-Token", "Zeplin-Token"];
+const blacklist = ["password", "token", "Zeplin-Access-Token", "Zeplin-Token", "Location"];
 
-const mask = maskJson(blacklist);
+const blacklistedQueryParams = ["access_token"];
+
+const mask = maskJson(blacklist, {
+    ignoreCase: true
+});
+
+const maskUrl = (_url: string | undefined): string | undefined => {
+    let masked = _url;
+    try {
+        if (_url) {
+            const url = new URL(_url);
+
+            blacklistedQueryParams
+                .filter(param => url.searchParams.has(param))
+                .forEach(param => url.searchParams.set(param, "--REDACTED--"));
+
+            masked = url.toString();
+        }
+    } catch {
+        // Ignore
+    }
+    return masked;
+};
 
 const requestLogger = (request: AxiosRequestConfig): AxiosRequestConfig => {
     const { url, method, data, headers } = request;
-    let httpLog = `HTTP Request: ${method} ${url}`;
+    let httpLog = `HTTP Request: ${method} ${maskUrl(url)}`;
 
     if (headers) {
         httpLog = httpLog.concat(`, Headers: ${JSON.stringify(mask(headers))}`);
@@ -31,14 +55,17 @@ const responseLogger = (response: AxiosResponse): AxiosResponse => {
         data
     } = response;
 
-    let httpLog = `HTTP Response: ${method} ${url}`
+    let httpLog = `HTTP Response: ${method} ${maskUrl(url)}`
         .concat(`, Status: ${status}-${statusText}`);
 
     if (headers) {
         httpLog = httpLog.concat(`, Headers: ${JSON.stringify(mask(headers))}`);
     }
     if (data) {
-        httpLog = httpLog.concat(`, Body: ${JSON.stringify(mask(data))}`);
+        // 302 may contain sensitive query params
+        if (status !== MOVED_TEMPORARILY) {
+            httpLog = httpLog.concat(`, Body: ${JSON.stringify(mask(data))}`);
+        }
     }
 
     logger.http(httpLog);

diff --git a/src/types/mask-json.d.ts b/src/types/mask-json.d.ts
@@ -3,7 +3,7 @@ type FunctionReturnsSameType = <T>(object: T) => T;
 declare module "mask-json" {
     function maskJson(
         collection: Array<string>,
-        opts?: { ignoreCase: boolean; replacement: string }
+        opts?: { ignoreCase?: boolean; replacement?: string }
     ): FunctionReturnsSameType;
 
     export = maskJson;

diff --git a/test/api.test.ts b/test/api.test.ts
@@ -56,7 +56,11 @@ describe("ZeplinApi", () => {
         it("returns token response when HTTP request succeeds", async () => {
             const zeplinApi = new ZeplinApi();
 
-            mocked(Axios.get).mockResolvedValueOnce({ data: "url:port?access_token=wowmuchaccesstoken" });
+            mocked(Axios.get).mockResolvedValueOnce({
+                headers: {
+                    location: "url:port?access_token=wowmuchaccesstoken"
+                }
+            });
 
             await expect(zeplinApi.generateToken(samples.loginResponse.token))
                 .resolves