Skip to content

Commit cfa716a

Browse files
author
Inbal Tako
committed
Remove pii data from headers
1 parent 63fb9e3 commit cfa716a

5 files changed

Lines changed: 48 additions & 3 deletions

File tree

VERSION

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
0.3.5
1+
0.3.6

securenative/context/securenative_context.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@ def from_http_request(request, options):
2121
client_token = None
2222

2323
try:
24-
headers = dict(request.headers)
24+
headers = RequestUtils.get_headers_from_request(request.headers)
2525
except Exception:
2626
headers = None
2727

securenative/utils/request_utils.py

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ class RequestUtils(object):
55
SECURENATIVE_COOKIE = "_sn"
66
SECURENATIVE_HEADER = "x-securenative"
77
IP_HEADERS = ["HTTP_X_FORWARDED_FOR", "X_FORWARDED_FOR", "REMOTE_ADDR", "x-forwarded-for", "x-client-ip", "x-real-ip", "x-forwarded", "x-cluster-client-ip", "forwarded-for", "forwarded", "via"]
8+
PII_HEADERS = ['authorization', 'access_token', 'apikey', 'password', 'passwd', 'secret', 'api_key']
89

910
@staticmethod
1011
def get_secure_header_from_request(headers):
@@ -76,3 +77,12 @@ def get_valid_ip(ips):
7677

7778
if IpUtils.is_loop_back(ip):
7879
return ip
80+
81+
@staticmethod
82+
def get_headers_from_request(headers):
83+
h = {}
84+
for header in headers:
85+
if header not in RequestUtils.PII_HEADERS:
86+
h[header] = headers[header]
87+
88+
return h

securenative/utils/version_utils.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,4 +2,4 @@ class VersionUtils(object):
22

33
@staticmethod
44
def get_version():
5-
return "0.3.5"
5+
return "0.3.6"

tests/request_utils_test.py

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -308,3 +308,38 @@ def test_extraction_priority_without_x_forwarded_for(self):
308308
client_ip = RequestUtils.get_client_ip_from_request(request, options)
309309

310310
self.assertEqual("203.0.113.1", client_ip)
311+
312+
def test_strip_down_pii_data_from_headers(self):
313+
headers = {
314+
'Host': 'net.example.com',
315+
'User-Agent': 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)',
316+
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
317+
'Accept-Language': 'en-us,en;q=0.5',
318+
'Accept-Encoding': 'gzip,deflate',
319+
'Accept-Charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
320+
'Keep-Alive': '300',
321+
'Connection': 'keep-alive',
322+
'Cookie': 'PHPSESSID=r2t5uvjq435r4q7ib3vtdjq120',
323+
'Pragma': 'no-cache',
324+
'Cache-Control': 'no-cache',
325+
'authorization': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
326+
'access_token': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
327+
'apikey': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
328+
'password': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
329+
'passwd': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
330+
'secret': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
331+
'api_key': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z'
332+
}
333+
334+
with requests_mock.Mocker(real_http=True) as request:
335+
request.headers = headers
336+
337+
h = RequestUtils.get_headers_from_request(request.headers)
338+
339+
self.assertEqual(h.get('authorization'), None)
340+
self.assertEqual(h.get('access_token'), None)
341+
self.assertEqual(h.get('apikey'), None)
342+
self.assertEqual(h.get('password'), None)
343+
self.assertEqual(h.get('passwd]'), None)
344+
self.assertEqual(h.get('secret'), None)
345+
self.assertEqual(h.get('api_key'), None)

0 commit comments

Comments
 (0)