Support pii data remove from config

Author: Inbal Tako

securenative/config/configuration_manager.py

@@ -69,4 +69,9 @@ def load_config(cls, resource_path):
                                                                               "SECURENATIVE_FAILOVER_STRATEGY",
                                                                               options.fail_over_strategy),
                                    proxy_headers=cls._get_env_or_default(properties, "SECURENATIVE_PROXY_HEADERS",
-                                                                         options.proxy_headers))
+                                                                         options.proxy_headers),
+                                   pii_headers=cls._get_env_or_default(properties, "SECURENATIVE_PII_HEADERS",
+                                                                       options.pii_headers),
+                                   pii_regex_pattern=cls._get_env_or_default(properties,
+                                                                             "SECURENATIVE_PII_REGEX_PATTERN",
+                                                                             options.pii_regex_pattern))

securenative/config/securenative_options.py

@@ -5,7 +5,8 @@ class SecureNativeOptions(object):
 
     def __init__(self, api_key=None, api_url="https://api.securenative.com/collector/api/v1", interval=1000,
                  max_events=1000, timeout=1500, auto_send=True, disable=False, log_level="CRITICAL",
-                 fail_over_strategy=FailOverStrategy.FAIL_OPEN.value, proxy_headers=None):
+                 fail_over_strategy=FailOverStrategy.FAIL_OPEN.value, proxy_headers=None,
+                 pii_headers=None, pii_regex_pattern=None):
 
         if proxy_headers is None:
             proxy_headers = []
@@ -24,3 +25,5 @@ def __init__(self, api_key=None, api_url="https://api.securenative.com/collector
         self.disable = disable
         self.log_level = log_level
         self.proxy_headers = proxy_headers
+        self.pii_headers = pii_headers
+        self.pii_regex_pattern = pii_regex_pattern

securenative/context/securenative_context.py

@@ -21,7 +21,7 @@ def from_http_request(request, options):
             client_token = None
 
         try:
-            headers = RequestUtils.get_headers_from_request(request.headers)
+            headers = RequestUtils.get_headers_from_request(request.headers, options)
         except Exception:
             headers = None
 

securenative/utils/request_utils.py

@@ -1,3 +1,5 @@
+import re
+
 from securenative.utils.ip_utils import IpUtils
 
 
@@ -16,7 +18,7 @@ def get_secure_header_from_request(headers):
 
     @staticmethod
     def get_client_ip_from_request(request, options):
-        if options and len(options.proxy_headers) > 0:
+        if options and options.proxy_headers and len(options.proxy_headers) > 0:
             for header in options.proxy_headers:
                 try:
                     if request.environ.get(header) is not None:
@@ -79,10 +81,19 @@ def get_valid_ip(ips):
             return ip
 
     @staticmethod
-    def get_headers_from_request(headers):
+    def get_headers_from_request(headers, options=None):
         h = {}
-        for header in headers:
-            if header not in RequestUtils.PII_HEADERS and header.upper() not in RequestUtils.PII_HEADERS:
-                h[header] = headers[header]
+        if options and options.pii_headers and len(options.pii_headers) > 0:
+            for header in headers:
+                if header not in options.pii_headers and header.upper() not in options.pii_headers:
+                    h[header] = headers[header]
+        elif options and options.pii_regex_pattern:
+            for header in headers:
+                if not re.search(options.pii_regex_pattern, header):
+                    h[header] = headers[header]
+        else:
+            for header in headers:
+                if header not in RequestUtils.PII_HEADERS and header.upper() not in RequestUtils.PII_HEADERS:
+                    h[header] = headers[header]
 
         return h

tests/request_utils_test.py

@@ -343,3 +343,76 @@ def test_strip_down_pii_data_from_headers(self):
         self.assertEqual(h.get('passwd'), None)
         self.assertEqual(h.get('secret'), None)
         self.assertEqual(h.get('api_key'), None)
+
+    def test_strip_down_pii_data_from_custom_headers(self):
+        headers = {
+            'Host': 'net.example.com',
+            'User-Agent': 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)',
+            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+            'Accept-Language': 'en-us,en;q=0.5',
+            'Accept-Encoding': 'gzip,deflate',
+            'Accept-Charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
+            'Keep-Alive': '300',
+            'Connection': 'keep-alive',
+            'Cookie': 'PHPSESSID=r2t5uvjq435r4q7ib3vtdjq120',
+            'Pragma': 'no-cache',
+            'Cache-Control': 'no-cache',
+            'authorization': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'access_token': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'apikey': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'password': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'passwd': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'secret': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'api_key': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z'
+        }
+
+        with requests_mock.Mocker(real_http=True) as request:
+            request.headers = headers
+
+        options = SecureNativeOptions(pii_headers=['authorization', 'access_token', 'apikey', 'password',
+                                                   'passwd', 'secret', 'api_key'])
+        h = RequestUtils.get_headers_from_request(request.headers, options)
+
+        self.assertEqual(h.get('authorization'), None)
+        self.assertEqual(h.get('access_token'), None)
+        self.assertEqual(h.get('apikey'), None)
+        self.assertEqual(h.get('password'), None)
+        self.assertEqual(h.get('passwd'), None)
+        self.assertEqual(h.get('secret'), None)
+        self.assertEqual(h.get('api_key'), None)
+
+    def test_strip_down_pii_data_from_regex_pattern(self):
+        headers = {
+            'Host': 'net.example.com',
+            'User-Agent': 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)',
+            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+            'Accept-Language': 'en-us,en;q=0.5',
+            'Accept-Encoding': 'gzip,deflate',
+            'Accept-Charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
+            'Keep-Alive': '300',
+            'Connection': 'keep-alive',
+            'Cookie': 'PHPSESSID=r2t5uvjq435r4q7ib3vtdjq120',
+            'Pragma': 'no-cache',
+            'Cache-Control': 'no-cache',
+            'http_auth_authorization': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'http_auth_access_token': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'http_auth_apikey': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'http_auth_password': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'http_auth_passwd': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'http_auth_secret': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'http_auth_api_key': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z'
+        }
+
+        with requests_mock.Mocker(real_http=True) as request:
+            request.headers = headers
+
+        options = SecureNativeOptions(pii_regex_pattern='((?i)(http_auth_)(\w+)?)')
+        h = RequestUtils.get_headers_from_request(request.headers, options)
+
+        self.assertEqual(h.get('http_auth_authorization'), None)
+        self.assertEqual(h.get('http_auth_access_token'), None)
+        self.assertEqual(h.get('http_auth_apikey'), None)
+        self.assertEqual(h.get('http_auth_password'), None)
+        self.assertEqual(h.get('http_auth_passwd'), None)
+        self.assertEqual(h.get('http_auth_secret'), None)
+        self.assertEqual(h.get('http_auth_api_key'), None)