Skip to content

Commit

Permalink
fix: fix regex for filtering credentials from logs
Browse files Browse the repository at this point in the history
The ending "=" character of a base64 encoded string is padding. When the
input length is a multiple of three (which is the case for our account
id and license key), the output would not have the padding character.
This results in our credentials not being filtered in the logs.

This fixes the regex by removing the incorrect assumption.

https://en.wikipedia.org/wiki/Base64#Output_padding
  • Loading branch information
starsirius committed Oct 29, 2021
1 parent cba303d commit d2c381a
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 1 deletion.
3 changes: 2 additions & 1 deletion lib/avatax/connection.rb
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,8 @@ module AvaTax

module Connection
private
AUTHORIZATION_FILTER_REGEX = /(Authorization\:\ \"Basic\ )(\w+)\=/

AUTHORIZATION_FILTER_REGEX = /(Authorization:\ "Basic\ )(\w+)/
REMOVED_LABEL = '\1[REMOVED]'

def connection
Expand Down
19 changes: 19 additions & 0 deletions spec/avatax/request_spec.rb
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
require File.expand_path('../../spec_helper', __FILE__)
require 'logger'

describe AvaTax::Request do

Expand All @@ -22,4 +23,22 @@
expect(response.env.request['timeout']).to eq(10)
end
end

describe 'filter credentials from logs' do
let(:string_io) { StringIO.new }
let(:logger) { Logger.new(string_io) }

it 'replaces credentials with a label' do
# Make 'name:pass' string length a multiple of three so the base64
# encoded string will not have padding characters '=' at the end.
@client.username = 'name'
@client.password = 'pass'

@client.custom_logger = logger
response = @client.request(:get, 'path', 'model')

expect(response.env.request_headers).to include('Authorization' => 'Basic bmFtZTpwYXNz')
expect(string_io.string).to match(/Authorization: "Basic \[REMOVED\]"/)
end
end
end

0 comments on commit d2c381a

Please sign in to comment.