redact query string parameters on URLs

Author: gingerbenw

packages/plugin-http-errors/http-errors.js

@@ -10,6 +10,7 @@ const shouldCaptureStatusCode = require('./lib/should-capture-status-code')
 const truncate = require('./lib/truncate')
 const xhrResponseHeadersToObject = require('./lib/xhr-response-headers-to-object')
 const redactValues = require('./lib/redact-values')
+const redactQueryParameters = require('./lib/redact-query-parameters')
 
 const DEFAULT_HTTP_ERROR_CODES = [{ min: 400, max: 599 }]
 const DEFAULT_MAX_REQUEST_SIZE = 5000
@@ -90,6 +91,10 @@ module.exports = (config = {}, global = window) => {
         const method = startContext.method
         const domain = extractDomain(url)
 
+        // Redact query parameters in URL
+        const redactedUrl = redactQueryParameters(url, redactedKeys)
+        const redactedQueryParams = parseQueryParams(redactedUrl)
+
         // Extract request headers
         let requestHeaders = {}
         if (startContext.xhr && startContext.xhr._requestHeaders) {
@@ -126,10 +131,10 @@ module.exports = (config = {}, global = window) => {
 
         // Create request and response objects for callback
         const requestObj = {
-          url,
+          url: redactedUrl,
           httpMethod: method,
           headers: redactValues(requestHeaders, redactedKeys),
-          params: redactValues(parseQueryParams(url), redactedKeys),
+          params: redactedQueryParams,
           body: requestBody,
           bodyLength: requestBodyLength
         }

packages/plugin-http-errors/lib/redact-query-parameters.js

@@ -0,0 +1,13 @@
+const redactValues = require('./redact-values')
+const defaultBaseURL = 'http://invalid-base.com'
+
+module.exports = function (url, redactedKeys) {
+  const urlObj = new URL(url, defaultBaseURL) // base needed for relative URLs
+  const params = new URLSearchParams(urlObj.search)
+  const redactedParams = redactValues(Object.fromEntries(params), redactedKeys)
+  urlObj.search = new URLSearchParams(redactedParams).toString()
+  const urlString = decodeURI(urlObj.toString())
+  return urlString.startsWith(defaultBaseURL)
+    ? urlString.slice(defaultBaseURL.length)
+    : urlString
+}

packages/plugin-http-errors/test/http-errors-xhr.test.ts

@@ -210,5 +210,36 @@ describe('plugin-http-errors', () => {
       // since they don't have status codes, but let's verify the behavior
       expect(notifyCallbacks.length).toBe(0)
     })
+
+    it('should redact specified headers and query parameters in XHR URLs', async () => {
+      const notifyCallbacks: Event[] = []
+
+      plugin = createPlugin({
+        httpErrorCodes: { min: 400, max: 499 }
+      })
+
+      const client = new Client({ apiKey: 'api_key', plugins: [plugin], redactedKeys: ['token', 'userId'] })
+      client._setDelivery(createMockDelivery(notifyCallbacks))
+
+      const xhr = new XMLHttpRequest() as any
+      xhr.status = 403
+      xhr.statusText = 'Forbidden'
+      xhr.response = 'Forbidden'
+      xhr.responseText = 'Forbidden'
+      xhr.setRequestHeader('token', 'super-secret-token')
+
+      xhr.open('GET', 'https://api.example.com/data?userId=42')
+      xhr.send()
+
+      await new Promise(resolve => setTimeout(resolve, 20))
+
+      expect(notifyCallbacks.length).toBe(1)
+      const event = notifyCallbacks[0].toJSON()
+
+      // Verify that sensitive query parameters are redacted
+      expect(event.request.url).toBe('https://api.example.com/data?userId=[REDACTED]')
+      expect(event.request.params).toEqual({ userId: '[REDACTED]' })
+      expect(event.request.headers?.['token']).toBe('[REDACTED]')
+    })
   })
 })

packages/plugin-http-errors/test/redact-query-parameters.test.ts

@@ -0,0 +1,24 @@
+import redactQueryParameters from '../lib/redact-query-parameters'
+
+describe('redact-query-parameters', () => {
+  it('redacts specified query parameters in a URL', () => {
+    const url = 'http://example.com/path?token=abc123&userId=42&status=active'
+    const redactedKeys = ['token', 'userId']
+    const redactedUrl = redactQueryParameters(url, redactedKeys)
+    expect(redactedUrl).toBe('http://example.com/path?token=[REDACTED]&userId=[REDACTED]&status=active')
+  })
+
+  it('handles URLs with no query parameters', () => {
+    const url = 'http://example.com/path'
+    const redactedKeys = ['token']
+    const redactedUrl = redactQueryParameters(url, redactedKeys)
+    expect(redactedUrl).toBe('http://example.com/path')
+  })
+
+  it('handles relative URLs', () => {
+    const url = '/path?token=abc123&userId=42'
+    const redactedKeys = ['token', 'userId']
+    const redactedUrl = redactQueryParameters(url, redactedKeys)
+    expect(redactedUrl).toBe('/path?token=[REDACTED]&userId=[REDACTED]')
+  })
+})

test/browser/features/fixtures/http_errors/src/app.tsx

@@ -3,7 +3,7 @@ import ReactDOM from 'react-dom'
 import React, { useEffect } from 'react'
 import { apiKey, endpoints, plugins, REFLECT_ENDPOINT } from './lib/config'
 
-Bugsnag.start({ apiKey, endpoints, plugins, redactedKeys: ['token'] })
+Bugsnag.start({ apiKey, endpoints, plugins, redactedKeys: ['token', 'userId'] })
 
 function App () {
   useEffect(() => {
@@ -13,20 +13,21 @@ function App () {
     switch(type) {
       case 'xhr':
         const xhr = new XMLHttpRequest()
-        xhr.open('GET', `${REFLECT_ENDPOINT}?status=404&token=12345`)
+        xhr.open('GET', `${REFLECT_ENDPOINT}?status=404&userId=12345`)
+        xhr.setRequestHeader('token', 'super-secret-token')
         xhr.send()
         break
       case 'fetch':
       default:
-        fetch(`${REFLECT_ENDPOINT}?status=404&token=12345`)
+        fetch(`${REFLECT_ENDPOINT}?status=404&userId=12345`, { headers: { token: 'super-secret-token' }})
         break
     }
 
   }, [])
 
   return (
     <div>
-      <p>HTTP Errors - fetch</p>
+      <p>HTTP Errors</p>
     </div>
   )
 }

test/browser/features/http_errors.feature

@@ -9,8 +9,8 @@ Feature: HTTP Errors
     Then the error is a valid browser payload for the error reporting API
 
     And I define "expected.context" as "GET <browser.hostname>"
-    And I define "expected.exception.message" as "404: <browser.url>/reflect?status=404"
-    And I define "expected.request.url" as "<browser.url>/reflect?status=404"
+    And I define "expected.exception.message" as "404: <browser.url>/reflect?status=404&userId=[REDACTED]"
+    And I define "expected.request.url" as "<browser.url>/reflect?status=404&userId=[REDACTED]"
 
     And the exception "errorClass" equals "HTTPError"
     And the error payload field "events.0.exceptions.0.message" equals the stored value "expected.exception.message"
@@ -22,7 +22,7 @@ Feature: HTTP Errors
     And the error payload field "events.0.request.url" equals the stored value "expected.request.url"
     And the event "request.httpMethod" equals "GET"
     And the event "request.params.status" equals "404"
-    And the event "request.params.token" equals "[REDACTED]"
+    And the event "request.params.userId" equals "[REDACTED]"
     And the event "request.body" equals ""
     And the event "request.bodyLength" equals 0
 
@@ -39,8 +39,8 @@ Feature: HTTP Errors
     Then the error is a valid browser payload for the error reporting API
 
     And I define "expected.context" as "GET <browser.hostname>"
-    And I define "expected.exception.message" as "404: <browser.url>/reflect?status=404"
-    And I define "expected.request.url" as "<browser.url>/reflect?status=404"
+    And I define "expected.exception.message" as "404: <browser.url>/reflect?status=404&userId=[REDACTED]"
+    And I define "expected.request.url" as "<browser.url>/reflect?status=404&userId=[REDACTED]"
 
     And the exception "errorClass" equals "HTTPError"
     And the error payload field "events.0.exceptions.0.message" equals the stored value "expected.exception.message"
@@ -52,7 +52,7 @@ Feature: HTTP Errors
     And the error payload field "events.0.request.url" equals the stored value "expected.request.url"
     And the event "request.httpMethod" equals "GET"
     And the event "request.params.status" equals "404"
-    And the event "request.params.token" equals "[REDACTED]"
+    And the event "request.params.userId" equals "[REDACTED]"
     And the event "request.body" equals ""
     And the event "request.bodyLength" equals 0