Strip sensitive information contained in URLs from frontend API calls

2023-02-15 14:46:31 -08:00 · 2023-02-15 14:46:31 -08:00 · e1176e9e3b
commit e1176e9e3b
parent a25606cfe9
3 changed files with 20 additions and 5 deletions
--- a/src/utils/proxy/api-helpers.js
+++ b/src/utils/proxy/api-helpers.js
@ -53,3 +53,12 @@ export function jsonArrayTransform(data, transform) {
 export function jsonArrayFilter(data, filter) {
  return jsonArrayTransform(data, (items) => items.filter(filter));
 }
+
+export function sanitizeErrorURL(errorURL) {
+  // Dont display sensitive params on frontend
+  const url = new URL(errorURL);
+  ["apikey", "api_key", "token", "t"].forEach(key => {
+    if (url.searchParams.has(key)) url.searchParams.set(key, "***")
+  });
+  return url.toString();
+}
--- a/src/utils/proxy/handlers/credentialed.js
+++ b/src/utils/proxy/handlers/credentialed.js
@ -1,5 +1,5 @@
 import getServiceWidget from "utils/config/service-helpers";
-import { formatApiCall } from "utils/proxy/api-helpers";
+import { formatApiCall, sanitizeErrorURL } from "utils/proxy/api-helpers";
 import validateWidgetData from "utils/proxy/validate-widget-data";
 import { httpProxy } from "utils/proxy/http";
 import createLogger from "utils/logger";
@ -68,7 +68,10 @@ export default async function credentialedProxyHandler(req, res, map) {
      }

      if (!validateWidgetData(widget, endpoint, data)) {
-        return res.status(500).json({error: {message: "Invalid data", url, data}});
+        if (data.error && data.error.url) {
+          data.error.url = sanitizeErrorURL(url);
+        }
+        return res.status(500).json({error: {message: "Invalid data", url: sanitizeErrorURL(url), data}});
      }

      if (status === 200 && map) {
--- a/src/utils/proxy/handlers/generic.js
+++ b/src/utils/proxy/handlers/generic.js
@ -1,5 +1,5 @@
 import getServiceWidget from "utils/config/service-helpers";
-import { formatApiCall } from "utils/proxy/api-helpers";
+import { formatApiCall, sanitizeErrorURL } from "utils/proxy/api-helpers";
 import validateWidgetData from "utils/proxy/validate-widget-data";
 import { httpProxy } from "utils/proxy/http";
 import createLogger from "utils/logger";
@ -35,7 +35,10 @@ export default async function genericProxyHandler(req, res, map) {
      let resultData = data;
      
      if (!validateWidgetData(widget, endpoint, resultData)) {
-        return res.status(status).json({error: {message: "Invalid data", url, data: resultData}});
+        if (resultData.error && resultData.error.url) {
+          resultData.error.url = sanitizeErrorURL(url);
+        }
+        return res.status(status).json({error: {message: "Invalid data", url: sanitizeErrorURL(url), data: resultData}});
      }

      if (status === 200 && map) {
@ -50,7 +53,7 @@ export default async function genericProxyHandler(req, res, map) {

      if (status >= 400) {
        logger.debug("HTTP Error %d calling %s//%s%s...", status, url.protocol, url.hostname, url.pathname);
-        return res.status(status).json({error: {message: "HTTP Error", url, data}});
+        return res.status(status).json({error: {message: "HTTP Error", url: sanitizeErrorURL(url), data}});
      }

      return res.status(status).send(resultData);