test/params_cleaner_test.rb in airbrake-4.2.1 vs test/params_cleaner_test.rb in airbrake-4.3.0
- old
+ new
@@ -1,12 +1,13 @@
require File.expand_path '../helper', __FILE__
class ParamsCleanerTest < Test::Unit::TestCase
def clean(opts = {})
- cleaner = Airbrake::Utils::ParamsCleaner.new(:filters => opts.delete(:params_filters),
- :to_clean => opts)
+ cleaner = Airbrake::Utils::ParamsCleaner.new(:blacklist_filters => opts.delete(:params_filters) || [],
+ :whitelist_filters => opts.delete(:whitelist_params_filters) || [],
+ :to_clean => opts)
cleaner.clean
end
def assert_serializes_hash(attribute)
[File.open(__FILE__), Proc.new { puts "boo!" }, Module.new, nil].each do |object|
@@ -59,12 +60,29 @@
}
clean_params = clean(:cgi_data => original)
assert_equal({"abc" => "123"}, clean_params.cgi_data)
end
- should "remove rack.request.form_vars" do
+ should "remove sensitive rack vars" do
original = {
+ "HTTP_X_CSRF_TOKEN" => "remove_me",
+ "HTTP_COOKIE" => "remove_me",
+ "HTTP_AUTHORIZATION" => "remove_me",
+ "action_dispatch.request.unsigned_session_cookie" => "remove_me",
+ "action_dispatch.cookies" => "remove_me",
+ "action_dispatch.unsigned_session_cookie" => "remove_me",
+ "action_dispatch.secret_key_base" => "remove_me",
+ "action_dispatch.signed_cookie_salt" => "remove_me",
+ "action_dispatch.encrypted_cookie_salt" => "remove_me",
+ "action_dispatch.encrypted_signed_cookie_salt" => "remove_me",
+ "action_dispatch.http_auth_salt" => "remove_me",
+ "action_dispatch.secret_token" => "remove_me",
+ "rack.request.cookie_hash" => "remove_me",
+ "rack.request.cookie_string" => "remove_me",
+ "rack.request.form_vars" => "remove_me",
+ "rack.session" => "remove_me",
+ "rack.session.options" => "remove_me",
"rack.request.form_vars" => "story%5Btitle%5D=The+TODO+label",
"abc" => "123"
}
clean_params = clean(:cgi_data => original)
@@ -91,9 +109,64 @@
assert_equal({'filter_me' => '[FILTERED]'}, clean_params.parameters)
end
should "filter parameters" do
assert_filters_hash(:parameters)
+ end
+
+ should "whitelist filter parameters" do
+ whitelist_filters = ["abc", :def]
+ original = { 'abc' => "123", 'def' => "456", 'ghi' => "789", 'nested' => { 'abc' => '100' },
+ 'something_with_abc' => 'match the entire string'}
+ filtered = { 'abc' => "123",
+ 'def' => "456",
+ 'something_with_abc' => "[FILTERED]",
+ 'ghi' => "[FILTERED]",
+ 'nested' => "[FILTERED]" }
+
+ clean_params = clean(:whitelist_params_filters => whitelist_filters,
+ :parameters => original)
+
+ assert_equal(filtered,
+ clean_params.send(:parameters))
+ end
+
+ should "not filter everything if whitelist filters are empty" do
+ whitelist_filters = []
+ original = { 'abc' => '123' }
+ clean_params = clean(:whitelist_params_filters => whitelist_filters,
+ :parameters => original)
+ assert_equal(original, clean_params.send(:parameters))
+ end
+
+ should "not care if filters are defined in nested array" do
+ filters = [[/crazy/, :foo, ["bar", ["too"]]]]
+ original = {
+ 'this_is_crazy' => 'yes_it_is',
+ 'I_am_good' => 'yes_you_are',
+ 'foo' => '1212',
+ 'too' => '2121',
+ 'bar' => 'secret'
+ }
+ filtered = {
+ 'this_is_crazy' => '[FILTERED]',
+ 'I_am_good' => 'yes_you_are',
+ 'foo' => '[FILTERED]',
+ 'too' => '[FILTERED]',
+ 'bar' => '[FILTERED]'
+ }
+ clean_params = clean(:params_filters => filters,
+ :parameters => original)
+ assert_equal(filtered, clean_params.send(:parameters))
+ end
+
+ should "filter key if it is defined as blacklist and whitelist" do
+ original = { 'filter_me' => 'secret' }
+ filtered = { 'filter_me' => '[FILTERED]' }
+ clean_params = clean(:params_filters => [:filter_me],
+ :params_whitelist_filters => [:filter_me],
+ :parameters => original)
+ assert_equal(filtered, clean_params.send(:parameters))
end
should "filter cgi data" do
assert_filters_hash(:cgi_data)
end