fix: auth leakage with basic authentication

Nestor Acuna-Blanco · Nestor Acuna-Blanco · commit 023d3edb3f8a · 2024-06-27T20:09:45.000+02:00
diff --git a/src/RequestsLibrary/log.py b/src/RequestsLibrary/log.py
@@ -5,6 +5,7 @@
 from RequestsLibrary.utils import is_file_descriptor
 
 LOG_CHAR_LIMIT = 10000
+AUTHORIZATION = 'Authorization'
 
 
 def log_response(response):
@@ -24,11 +25,14 @@ def log_request(response):
     else:
         original_request = request
         redirected = ""
+    safe_headers = dict(original_request.headers)
+    if AUTHORIZATION in safe_headers:
+        safe_headers[AUTHORIZATION] = '*****'
     logger.info(
         "%s Request : " % original_request.method.upper()
         + "url=%s %s\n " % (original_request.url, redirected)
         + "path_url=%s \n " % original_request.path_url
-        + "headers=%s \n " % original_request.headers
+        + "headers=%s \n " % safe_headers
         + "body=%s \n " % format_data_to_log_string(original_request.body)
     )
 
diff --git a/utests/test_log.py b/utests/test_log.py
@@ -60,6 +60,47 @@ def test_log_request(mocked_logger):
                                                   "body=%s \n " % request.body)
 
 
+@mock.patch('RequestsLibrary.log.logger')
+def test_log_request_with_headers(mocked_logger):
+    headers = {'User-Agent': 'python-requests/2.31.0',
+               'Accept-Encoding': 'gzip, deflate',
+               'Accept': '*/*',
+               'Connection': 'keep-alive'}
+    request = Request(method='get', url='http://mock.rulezz', headers=headers)
+    request = request.prepare()
+    response = mock.MagicMock()
+    response.history = []
+    response.request = request
+    log_request(response)
+    assert mocked_logger.info.call_args[0][0] == ("%s Request : " % request.method +
+                                                  "url=%s \n " % request.url +
+                                                  "path_url=%s \n " % request.path_url +
+                                                  "headers=%s \n " % request.headers +
+                                                  "body=%s \n " % request.body)
+
+
+@mock.patch('RequestsLibrary.log.logger')
+def test_log_request_with_headers_auth(mocked_logger):
+    headers = {'User-Agent': 'python-requests/2.31.0',
+               'Accept-Encoding': 'gzip, deflate',
+               'Accept': '*/*',
+               'Connection': 'keep-alive',
+               'Authorization': 'some_token'}
+    safe_headers = dict(headers)
+    safe_headers['Authorization'] = '*****'
+    request = Request(method='get', url='http://mock.rulezz', headers=headers)
+    request = request.prepare()
+    response = mock.MagicMock()
+    response.history = []
+    response.request = request
+    log_request(response)
+    assert mocked_logger.info.call_args[0][0] == ("%s Request : " % request.method +
+                                                  "url=%s \n " % request.url +
+                                                  "path_url=%s \n " % request.path_url +
+                                                  "headers=%s \n " % safe_headers +
+                                                  "body=%s \n " % request.body)
+
+
 @mock.patch('RequestsLibrary.log.logger')
 def test_log_request_with_redirect(mocked_logger):
     request = Request(method='get', url='http://mock.rulezz/redirected')
