From e1176e9e3bf82921e2e2355b4a4a64f6f374152f Mon Sep 17 00:00:00 2001 From: shamoon <4887959+shamoon@users.noreply.github.com> Date: Wed, 15 Feb 2023 14:46:31 -0800 Subject: [PATCH] Strip sensitive information contained in URLs from frontend API calls --- src/utils/proxy/api-helpers.js | 9 +++++++++ src/utils/proxy/handlers/credentialed.js | 7 +++++-- src/utils/proxy/handlers/generic.js | 9 ++++++--- 3 files changed, 20 insertions(+), 5 deletions(-) diff --git a/src/utils/proxy/api-helpers.js b/src/utils/proxy/api-helpers.js index 904c9e967..ca2721ec0 100644 --- a/src/utils/proxy/api-helpers.js +++ b/src/utils/proxy/api-helpers.js @@ -53,3 +53,12 @@ export function jsonArrayTransform(data, transform) { export function jsonArrayFilter(data, filter) { return jsonArrayTransform(data, (items) => items.filter(filter)); } + +export function sanitizeErrorURL(errorURL) { + // Dont display sensitive params on frontend + const url = new URL(errorURL); + ["apikey", "api_key", "token", "t"].forEach(key => { + if (url.searchParams.has(key)) url.searchParams.set(key, "***") + }); + return url.toString(); +} \ No newline at end of file diff --git a/src/utils/proxy/handlers/credentialed.js b/src/utils/proxy/handlers/credentialed.js index 23e065246..4d5b4a25d 100644 --- a/src/utils/proxy/handlers/credentialed.js +++ b/src/utils/proxy/handlers/credentialed.js @@ -1,5 +1,5 @@ import getServiceWidget from "utils/config/service-helpers"; -import { formatApiCall } from "utils/proxy/api-helpers"; +import { formatApiCall, sanitizeErrorURL } from "utils/proxy/api-helpers"; import validateWidgetData from "utils/proxy/validate-widget-data"; import { httpProxy } from "utils/proxy/http"; import createLogger from "utils/logger"; @@ -68,7 +68,10 @@ export default async function credentialedProxyHandler(req, res, map) { } if (!validateWidgetData(widget, endpoint, data)) { - return res.status(500).json({error: {message: "Invalid data", url, data}}); + if (data.error && data.error.url) { + data.error.url = sanitizeErrorURL(url); + } + return res.status(500).json({error: {message: "Invalid data", url: sanitizeErrorURL(url), data}}); } if (status === 200 && map) { diff --git a/src/utils/proxy/handlers/generic.js b/src/utils/proxy/handlers/generic.js index 02c3d4c38..82da956dd 100644 --- a/src/utils/proxy/handlers/generic.js +++ b/src/utils/proxy/handlers/generic.js @@ -1,5 +1,5 @@ import getServiceWidget from "utils/config/service-helpers"; -import { formatApiCall } from "utils/proxy/api-helpers"; +import { formatApiCall, sanitizeErrorURL } from "utils/proxy/api-helpers"; import validateWidgetData from "utils/proxy/validate-widget-data"; import { httpProxy } from "utils/proxy/http"; import createLogger from "utils/logger"; @@ -35,7 +35,10 @@ export default async function genericProxyHandler(req, res, map) { let resultData = data; if (!validateWidgetData(widget, endpoint, resultData)) { - return res.status(status).json({error: {message: "Invalid data", url, data: resultData}}); + if (resultData.error && resultData.error.url) { + resultData.error.url = sanitizeErrorURL(url); + } + return res.status(status).json({error: {message: "Invalid data", url: sanitizeErrorURL(url), data: resultData}}); } if (status === 200 && map) { @@ -50,7 +53,7 @@ export default async function genericProxyHandler(req, res, map) { if (status >= 400) { logger.debug("HTTP Error %d calling %s//%s%s...", status, url.protocol, url.hostname, url.pathname); - return res.status(status).json({error: {message: "HTTP Error", url, data}}); + return res.status(status).json({error: {message: "HTTP Error", url: sanitizeErrorURL(url), data}}); } return res.status(status).send(resultData);