Redact query parameters from request URL

bugsnag · Apr 18, 2019 · 463ffdc · 463ffdc
1 parent 9675637
commit 463ffdc
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 3 deletions.
diff --git a/request_extractor.go b/request_extractor.go
@@ -3,6 +3,7 @@ package bugsnag
 import (
 	"context"
 	"net/http"
+	"net/url"
 	"strings"
 )
 
@@ -32,14 +33,39 @@ func extractRequestInfo(ctx context.Context) (*RequestJSON, *http.Request) {
 // understands from the given HTTP request. Returns the sub-object supported by
 // the notify API.
 func extractRequestInfoFromReq(req *http.Request) *RequestJSON {
-	proto := "http://"
+	scheme := "http"
 	if req.TLS != nil {
-		proto = "https://"
+		scheme = "https"
 	}
+
+	var rawQuery string
+	parsedQuery, err := url.ParseQuery(req.URL.RawQuery)
+	if err != nil {
+		rawQuery = req.URL.RawQuery
+	} else {
+		for key, values := range parsedQuery {
+			if contains(Config.ParamsFilters, key) {
+				for i, v := range values {
+					if len(v) != 0 {
+						values[i] = "FILTERED"
+					}
+				}
+			}
+		}
+		rawQuery = parsedQuery.Encode()
+	}
+	u := url.URL{
+		Scheme:   scheme,
+		Host:     req.Host,
+		Path:     req.URL.Path,
+		RawQuery: rawQuery,
+	}
+	builtURL := u.String()
+
 	return &RequestJSON{
 		ClientIP:   req.RemoteAddr,
 		HTTPMethod: req.Method,
-		URL:        proto + req.Host + req.RequestURI,
+		URL:        builtURL,
 		Referer:    req.Referer(),
 		Headers:    parseRequestHeaders(req.Header),
 	}

diff --git a/request_extractor_test.go b/request_extractor_test.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"strings"
 	"testing"
 )
@@ -54,6 +55,35 @@ func TestRequestExtractorCanHandleAbsentContext(t *testing.T) {
 	}
 }
 
+func TestExtractRequestInfoFromReq_RedactURL(t *testing.T) {
+	testCases := []struct { originalURI, expectedURL string}{
+		{"", "http://example.com"},
+		{"/", "http://example.com/"},
+		{"/foo.html", "http://example.com/foo.html"},
+		{"/foo.html?q=something&bar=123", "http://example.com/foo.html?bar=123&q=something"},
+		{"/foo.html?foo=1&foo=2&foo=3", "http://example.com/foo.html?foo=1&foo=2&foo=3"},
+
+		{"/foo.html?access_token=something", "http://example.com/foo.html?access_token=FILTERED"},
+		{"/foo.html?access_token=something&access_token=", "http://example.com/foo.html?access_token=FILTERED&access_token="},
+	}
+
+	for _, tc := range testCases {
+		parsedURL, err := url.Parse(tc.originalURI)
+		if err != nil {
+			t.Fatalf("error parsing originalURI: %v", err)
+		}
+
+		req := &http.Request{
+			Host: "example.com",
+			URL: parsedURL,
+		}
+		result := extractRequestInfoFromReq(req)
+		if result.URL != tc.expectedURL {
+			t.Errorf("expected URL to be '%s' but was '%s'", tc.expectedURL, result.URL)
+		}
+	}
+}
+
 func TestParseHeadersWillSanitiseIllegalParams(t *testing.T) {
 	headers := make(map[string][]string)
 	headers["password"] = []string{"correct horse battery staple"}