From 32001b1c8b0ad34bcc3023199553d963a6bb29e7 Mon Sep 17 00:00:00 2001 From: nick-delirium Date: Fri, 20 Sep 2024 10:44:18 +0200 Subject: [PATCH] spot body sanitizer --- spot/package.json | 2 +- spot/utils/networkTracking.ts | 103 ++++++++++++++++++++++++++++------ 2 files changed, 87 insertions(+), 18 deletions(-) diff --git a/spot/package.json b/spot/package.json index 87fe85db2..f3ac9c69f 100644 --- a/spot/package.json +++ b/spot/package.json @@ -2,7 +2,7 @@ "name": "wxt-starter", "description": "manifest.json description", "private": true, - "version": "1.0.7", + "version": "1.0.8", "type": "module", "scripts": { "dev": "wxt", diff --git a/spot/utils/networkTracking.ts b/spot/utils/networkTracking.ts index 9c55173e2..e1eaabb13 100644 --- a/spot/utils/networkTracking.ts +++ b/spot/utils/networkTracking.ts @@ -30,38 +30,106 @@ export const rawRequests: (TrackedRequest & { startTs: number; duration: number; })[] = []; + +const sensitiveParams = new Set([ + "password", + "pass", + "pwd", + "mdp", + "token", + "bearer", + "key", + "secret", + "email", + "ssn", + "name", + "firstname", + "lastname", + "birthdate", + "dob", + "address", + "x-api-key", + "www-authenticate", + "x-csrf-token", + "x-requested-with", + "x-forwarded-for", + "x-real-ip", + "cookie", + "authorization", + "auth", + "proxy-authorization", + "set-cookie", +]); + function filterHeaders(headers: Record) { const filteredHeaders: Record = {}; - const privateHs = [ - "x-api-key", - "www-authenticate", - "x-csrf-token", - "x-requested-with", - "x-forwarded-for", - "x-real-ip", - "cookie", - "authorization", - "auth", - "proxy-authorization", - "set-cookie", - ]; if (Array.isArray(headers)) { headers.forEach(({ name, value }) => { - if (privateHs.includes(name.toLowerCase())) { - return; + if (sensitiveParams.has(name.toLowerCase())) { + filteredHeaders[name] = "******"; } else { filteredHeaders[name] = value; } }); } else { for (const [key, value] of Object.entries(headers)) { - if (!privateHs.includes(key.toLowerCase())) { + if (sensitiveParams.has(key.toLowerCase())) { + filteredHeaders[key] = "******"; + } else { filteredHeaders[key] = value; } } } return filteredHeaders; } + +// JSON or form data +function filterBody(body: any) { + if (!body) { + return body; + } + + let parsedBody; + let isJSON = false; + + try { + parsedBody = JSON.parse(body); + isJSON = true; + } catch (e) { + // not json + } + + if (isJSON) { + obscureSensitiveData(parsedBody); + return JSON.stringify(parsedBody); + } else { + const params = new URLSearchParams(body); + for (const key of params.keys()) { + if (sensitiveParams.has(key.toLowerCase())) { + params.set(key, "******"); + } + } + + return params.toString(); + } +} + +function obscureSensitiveData(obj: Record | any[]) { + if (Array.isArray(obj)) { + obj.forEach(obscureSensitiveData); + } else if (obj && typeof obj === "object") { + for (const key in obj) { + if (obj.hasOwnProperty(key)) { + if (sensitiveParams.has(key.toLowerCase())) { + obj[key] = "******"; + } else if (obj[key] !== null && typeof obj[key] === "object") { + obscureSensitiveData(obj[key]); + } + } + } + } +} + export function createSpotNetworkRequest( trackedRequest: TrackedRequest, trackedTab?: number, @@ -97,10 +165,11 @@ export function createSpotNetworkRequest( : 0; const status = getRequestStatus(trackedRequest); + const body = trackedRequest.reqBody ? filterBody(trackedRequest.reqBody) : ""; const request: SpotNetworkRequest = { method: trackedRequest.method, type, - body: trackedRequest.reqBody, + body, requestHeaders, responseHeaders, time: trackedRequest.timeStamp,