launchpad-reviewers team mailing list archive

[Colin Watson <cjwatson@xxxxxxxxxxxxx>]

Colin Watson has proposed merging lp:~cjwatson/python-oops-wsgi/hide-macaroons into lp:python-oops-wsgi.

Commit message:
Hide sensitive information in HTTP_AUTHORIZATION headers.

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~cjwatson/python-oops-wsgi/hide-macaroons/+merge/308489

Full root and discharge macaroons show up in SCA OOPSes at the moment, and really shouldn't.
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~cjwatson/python-oops-wsgi/hide-macaroons into lp:python-oops-wsgi.

=== modified file 'oops_wsgi/hooks.py'
--- oops_wsgi/hooks.py	2011-11-13 22:39:44 +0000
+++ oops_wsgi/hooks.py	2016-10-14 10:40:34 +0000
@@ -15,6 +15,8 @@
 
 """oops creation and filtering hooks for working with WSGI."""
 
+import re
+
 __all__ = [
     'copy_environ',
     'hide_cookie',
@@ -59,15 +61,25 @@
     """If there is an HTTP_COOKIE entry in the report, hide its value.
 
     The entry is looked for either as a top level key or in the req_vars dict.
-    
+
     The COOKIE header is often used to carry session tokens and thus permits
     folk analyzing crash reports to log in as an arbitrary user (e.g. your
     sysadmin users).
+
+    The same goes for the AUTHORIZATION header, although in that case we
+    permit the authorization scheme to remain visible.
     """
     if 'HTTP_COOKIE' in report:
         report['HTTP_COOKIE'] = '<hidden>'
     if 'HTTP_COOKIE' in report.get('req_vars', {}):
         report['req_vars']['HTTP_COOKIE'] = '<hidden>'
+    if 'HTTP_AUTHORIZATION' in report:
+        report['HTTP_AUTHORIZATION'] = re.sub(
+            r'(.*?)\s+.*', r'\1 <hidden>', report['HTTP_AUTHORIZATION'])
+    if 'HTTP_AUTHORIZATION' in report.get('req_vars', {}):
+        report['req_vars']['HTTP_AUTHORIZATION'] = re.sub(
+            r'(.*?)\s+.*', r'\1 <hidden>',
+            report['req_vars']['HTTP_AUTHORIZATION'])
 
 
 def install_hooks(config):

=== modified file 'oops_wsgi/tests/test_hooks.py'
--- oops_wsgi/tests/test_hooks.py	2011-11-13 22:39:44 +0000
+++ oops_wsgi/tests/test_hooks.py	2016-10-14 10:40:34 +0000
@@ -62,6 +62,21 @@
         hide_cookie(report, {})
         self.assertEqual({'req_vars': {'HTTP_COOKIE': '<hidden>'}}, report)
 
+    def test_hide_cookie_authorization_present_top_level(self):
+        report = {'HTTP_AUTHORIZATION': 'Macaroon root=foo, discharge=bar'}
+        hide_cookie(report, {})
+        self.assertEqual({'HTTP_AUTHORIZATION': 'Macaroon <hidden>'}, report)
+
+    def test_hide_cookie_authorization_present_req_vars(self):
+        report = {
+            'req_vars': {
+                'HTTP_AUTHORIZATION': 'Macaroon root=foo, discharge=bar',
+                },
+            }
+        hide_cookie(report, {})
+        self.assertEqual(
+            {'req_vars': {'HTTP_AUTHORIZATION': 'Macaroon <hidden>'}}, report)
+
     def test_copy_environ_copied_variables(self):
         environ = {
             'REQUEST_METHOD': 'GET',