Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request tab includes cookies #152

Open
eager opened this issue Jan 27, 2020 · 4 comments
Open

Request tab includes cookies #152

eager opened this issue Jan 27, 2020 · 4 comments
Labels
awaiting feedback Awaiting a response from a customer. Will be automatically closed after approximately 2 weeks.

Comments

@eager
Copy link

eager commented Jan 27, 2020
edited
Loading

Expected behavior

Cookies are filtered from request headers metadata, as Cookie is included in the default filters.

Observed behavior

Request tab contains a headers map with cookie present.

Steps to reproduce

We’re using bugsnag-spring with Spring Boot 2.0.9 and Tomcat 9.0.30.

Version

3.6.1

Additional information

It looks like the issue is that the underlying servlet implementation stores header keys case-insensitively, so the default Cookie filter does not match. When it comes to filtering, I think it would make sense to make all comparisons case-insensitive, so that a filter for "password" matches "USER_PASSWORD", "adminPassword", etc.
eager added a commit to eager/bugsnag-java that referenced this issue Jan 27, 2020
@eager
Make FilteredMap key matching case-insensitive
1f0cad3 
Fixes bugsnag#152
@eager eager mentioned this issue Jan 27, 2020
Closed
15 tasks
@eager
Copy link
Author

eager commented Jan 27, 2020

Based on #113, it seems that the current case-sensitivity is intentional, but it’s unclear to me why it’s desired.

@abigailbramble
Copy link

Hi @eager - thanks for the report.
We are considering making this configuration option capable of taking regexes, which should meet your needs.

@abigailbramble abigailbramble added the awaiting feedback Awaiting a response from a customer. Will be automatically closed after approximately 2 weeks. label Feb 5, 2020
@eager
Copy link
Author

eager commented Feb 6, 2020

We are considering making this configuration option capable of taking regexes, which should meet your needs.

@phillipsam good to know! Would (case-insensitive) regexes be the default, and would the defaults include the 4 current filters?

@fractalwrench
Copy link
Contributor

Hi @eager - case-insensitive regexes would be fine, and I think it would make sense to include the 4 current filters.

We've designed a new API for redacting metadata values, which hasn't been scheduled for implementation on bugsnag-java yet. I can sketch out some of the details here if that would help #153:

redactedKeys

// Configuration.java
Collection<String> getRedactedKeys();
void setRedactedKeys(Collection<String> redactedKeys);

The requirements would be:

  • values in the redactedKeys property should be compiled into a regex
  • keys in MetaData should be matched against the values of redactedKeys and replaced with a placeholder string "[REDACTED]" if any key matches
  • the filters property should be marked as deprecated and direct callers to use redactedKeys instead

If you have any questions about this please let me know.

@nkavian nkavian mentioned this issue Jun 16, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
awaiting feedback Awaiting a response from a customer. Will be automatically closed after approximately 2 weeks.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make FilteredMap key matching case-insensitive eager/bugsnag-java
3 participants
@eager @fractalwrench @abigailbramble