Skip to content

Commit 44b3091

Browse files
rabidpraxisrabidpraxis
committed
Sanitize request_id from inputs
1 parent 928ca52 commit 44b3091

File tree

4 files changed

+32
-3
lines changed

4 files changed

+32
-3
lines changed

honeybadger/contrib/django.py

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,12 @@
77

88
from honeybadger import honeybadger
99
from honeybadger.plugins import Plugin, default_plugin_manager
10-
from honeybadger.utils import filter_dict, filter_env_vars, get_duration
10+
from honeybadger.utils import (
11+
filter_dict,
12+
filter_env_vars,
13+
get_duration,
14+
sanitize_request_id,
15+
)
1116
from honeybadger.contrib.db import DBHoneybadger
1217

1318
try:
@@ -160,6 +165,7 @@ def _set_request_id(self, request):
160165
or getattr(request, "request_id", None)
161166
or request.headers.get("X-Request-ID", None)
162167
)
168+
request_id = sanitize_request_id(request_id)
163169
if not request_id:
164170
request_id = str(uuid.uuid4())
165171

honeybadger/contrib/flask.py

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212
filter_env_vars,
1313
get_duration,
1414
extract_honeybadger_config,
15+
sanitize_request_id,
1516
)
1617
from honeybadger.contrib.db import DBHoneybadger
1718
from six import iteritems
@@ -202,7 +203,7 @@ def _initialize_honeybadger(self, config):
202203
def _handle_request_started(self, sender, *args, **kwargs):
203204
from flask import request
204205

205-
request_id = request.headers.get("X-Request-ID")
206+
request_id = sanitize_request_id(request.headers.get("X-Request-ID"))
206207
if not request_id:
207208
request_id = str(uuid.uuid4())
208209

honeybadger/tests/test_utils.py

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
from honeybadger.utils import filter_dict, filter_env_vars
1+
from honeybadger.utils import filter_dict, filter_env_vars, sanitize_request_id
22

33

44
def test_filter_dict():
@@ -69,3 +69,14 @@ def test_filter_env_vars_with_non_dict():
6969

7070
def test_filter_env_vars_empty_dict():
7171
assert filter_env_vars({}) == {}
72+
73+
74+
def test_sanitize_request_id():
75+
assert sanitize_request_id("abc123-def456") == "abc123-def456"
76+
assert sanitize_request_id("abc_123@def#456") == "abc123def456"
77+
assert sanitize_request_id("a" * 300) == "a" * 255
78+
assert sanitize_request_id(" abc123 ") == "abc123"
79+
assert sanitize_request_id("@#$%^&*()") is None
80+
assert sanitize_request_id(None) is None
81+
assert sanitize_request_id("") is None
82+
assert sanitize_request_id(" ") is None

honeybadger/utils.py

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
import json
22
import time
3+
import re
34

45

56
class StringReprJSONEncoder(json.JSONEncoder):
@@ -87,3 +88,13 @@ def get_duration(start_time):
8788
return None
8889

8990
return round((time.time() - start_time) * 1000, 4)
91+
92+
93+
def sanitize_request_id(request_id):
94+
"""Sanitize a Request ID by keeping only alphanumeric characters and hyphens."""
95+
if not request_id:
96+
return None
97+
98+
sanitized = re.sub(r"[^a-zA-Z0-9-]", "", request_id.strip())[:255]
99+
100+
return sanitized or None

0 commit comments

Comments
 (0)