From d2c381a9945924c0295cbc04196452d5e3cae5e5 Mon Sep 17 00:00:00 2001 From: Chung-Yi Chi Date: Wed, 11 Aug 2021 17:19:35 -0400 Subject: [PATCH] fix: fix regex for filtering credentials from logs The ending "=" character of a base64 encoded string is padding. When the input length is a multiple of three (which is the case for our account id and license key), the output would not have the padding character. This results in our credentials not being filtered in the logs. This fixes the regex by removing the incorrect assumption. https://en.wikipedia.org/wiki/Base64#Output_padding --- lib/avatax/connection.rb | 3 ++- spec/avatax/request_spec.rb | 19 +++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/lib/avatax/connection.rb b/lib/avatax/connection.rb index 500e014..5d7a306 100644 --- a/lib/avatax/connection.rb +++ b/lib/avatax/connection.rb @@ -4,7 +4,8 @@ module AvaTax module Connection private - AUTHORIZATION_FILTER_REGEX = /(Authorization\:\ \"Basic\ )(\w+)\=/ + + AUTHORIZATION_FILTER_REGEX = /(Authorization:\ "Basic\ )(\w+)/ REMOVED_LABEL = '\1[REMOVED]' def connection diff --git a/spec/avatax/request_spec.rb b/spec/avatax/request_spec.rb index 055deba..9cf5f84 100644 --- a/spec/avatax/request_spec.rb +++ b/spec/avatax/request_spec.rb @@ -1,4 +1,5 @@ require File.expand_path('../../spec_helper', __FILE__) +require 'logger' describe AvaTax::Request do @@ -22,4 +23,22 @@ expect(response.env.request['timeout']).to eq(10) end end + + describe 'filter credentials from logs' do + let(:string_io) { StringIO.new } + let(:logger) { Logger.new(string_io) } + + it 'replaces credentials with a label' do + # Make 'name:pass' string length a multiple of three so the base64 + # encoded string will not have padding characters '=' at the end. + @client.username = 'name' + @client.password = 'pass' + + @client.custom_logger = logger + response = @client.request(:get, 'path', 'model') + + expect(response.env.request_headers).to include('Authorization' => 'Basic bmFtZTpwYXNz') + expect(string_io.string).to match(/Authorization: "Basic \[REMOVED\]"/) + end + end end