Remove pii data from headers

Inbal Tako · Inbal Tako · commit cfa716aa9e8d · 2020-11-23T15:07:30.000+02:00
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-0.3.5
+0.3.6
diff --git a/securenative/context/securenative_context.py b/securenative/context/securenative_context.py
@@ -21,7 +21,7 @@ def from_http_request(request, options):
             client_token = None
 
         try:
-            headers = dict(request.headers)
+            headers = RequestUtils.get_headers_from_request(request.headers)
         except Exception:
             headers = None
 
diff --git a/securenative/utils/request_utils.py b/securenative/utils/request_utils.py
@@ -5,6 +5,7 @@ class RequestUtils(object):
     SECURENATIVE_COOKIE = "_sn"
     SECURENATIVE_HEADER = "x-securenative"
     IP_HEADERS = ["HTTP_X_FORWARDED_FOR", "X_FORWARDED_FOR", "REMOTE_ADDR", "x-forwarded-for", "x-client-ip", "x-real-ip", "x-forwarded", "x-cluster-client-ip", "forwarded-for", "forwarded", "via"]
+    PII_HEADERS = ['authorization', 'access_token', 'apikey', 'password',  'passwd', 'secret', 'api_key']
 
     @staticmethod
     def get_secure_header_from_request(headers):
@@ -76,3 +77,12 @@ def get_valid_ip(ips):
 
         if IpUtils.is_loop_back(ip):
             return ip
+
+    @staticmethod
+    def get_headers_from_request(headers):
+        h = {}
+        for header in headers:
+            if header not in RequestUtils.PII_HEADERS:
+                h[header] = headers[header]
+
+        return h
diff --git a/securenative/utils/version_utils.py b/securenative/utils/version_utils.py
@@ -2,4 +2,4 @@ class VersionUtils(object):
 
     @staticmethod
     def get_version():
-        return "0.3.5"
+        return "0.3.6"
diff --git a/tests/request_utils_test.py b/tests/request_utils_test.py
@@ -308,3 +308,38 @@ def test_extraction_priority_without_x_forwarded_for(self):
         client_ip = RequestUtils.get_client_ip_from_request(request, options)
 
         self.assertEqual("203.0.113.1", client_ip)
+
+    def test_strip_down_pii_data_from_headers(self):
+        headers = {
+            'Host': 'net.example.com',
+            'User-Agent': 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)',
+            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+            'Accept-Language': 'en-us,en;q=0.5',
+            'Accept-Encoding': 'gzip,deflate',
+            'Accept-Charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
+            'Keep-Alive': '300',
+            'Connection': 'keep-alive',
+            'Cookie': 'PHPSESSID=r2t5uvjq435r4q7ib3vtdjq120',
+            'Pragma': 'no-cache',
+            'Cache-Control': 'no-cache',
+            'authorization': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'access_token': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'apikey': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'password': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'passwd': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'secret': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'api_key': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z'
+        }
+
+        with requests_mock.Mocker(real_http=True) as request:
+            request.headers = headers
+
+        h = RequestUtils.get_headers_from_request(request.headers)
+
+        self.assertEqual(h.get('authorization'), None)
+        self.assertEqual(h.get('access_token'), None)
+        self.assertEqual(h.get('apikey'), None)
+        self.assertEqual(h.get('password'), None)
+        self.assertEqual(h.get('passwd]'), None)
+        self.assertEqual(h.get('secret'), None)
+        self.assertEqual(h.get('api_key'), None)
