HTTPEvents: filter headers using http_header_filters configuration (#10)

PetrHeinz · web-flow · commit ad1fbfda03d7 · 2023-08-14T14:10:42.000+02:00
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -23,7 +23,6 @@ jobs:
           - 2.5
           - 2.4
           - 2.3
-          - 2.2
           - jruby-9.4.3.0
           - jruby-9.2.14.0
           - truffleruby-23.0.0
diff --git a/lib/logtail-rack/http_events.rb b/lib/logtail-rack/http_events.rb
@@ -102,14 +102,24 @@ def silence_request
             @silence_request
           end
 
+          # Filter sensitive HTTP headers (such as "Authorization: Bearer secret_token")
+          #
+          # Filtered HTTP header values will be sent to Better Stack as "[FILTERED]"
+          #
+          # @example
+          #   Logtail::Integrations::Rack::HTTPEvents.http_header_filters = ["Authorization"]
           def http_header_filters=(value)
-            @http_header_filters = value
+            @http_header_filters = value.map { |header_name| normalize_header_name(header_name) }
           end
 
           # Accessor method for {#http_header_filters=}
           def http_header_filters
             @http_header_filters
           end
+
+          def normalize_header_name(name)
+            name.to_s.downcase.gsub("-", "_")
+          end
         end
 
         CONTENT_LENGTH_KEY = 'Content-Length'.freeze
@@ -138,12 +148,11 @@ def call(env)
 
               http_response = HTTPResponse.new(
                 content_length: content_length,
-                headers: headers,
+                headers: filter_http_headers(headers),
                 http_context: http_context,
                 request_id: request.request_id,
                 status: status,
                 duration_ms: duration_ms,
-                headers_to_sanitize: self.class.http_header_filters,
               )
 
               {
@@ -169,15 +178,14 @@ def call(env)
               http_request = HTTPRequest.new(
                 body: event_body,
                 content_length: safe_to_i(request.content_length),
-                headers: request.headers,
+                headers: filter_http_headers(request.headers),
                 host: force_encoding(request.host),
                 method: request.request_method,
                 path: request.path,
                 port: request.port,
                 query_string: force_encoding(request.query_string),
                 request_id: request.request_id,
                 scheme: force_encoding(request.scheme),
-                headers_to_sanitize: self.class.http_header_filters,
               )
 
               {
@@ -212,11 +220,10 @@ def call(env)
               http_response = HTTPResponse.new(
                 body: event_body,
                 content_length: content_length,
-                headers: headers,
+                headers: filter_http_headers(headers),
                 request_id: request.request_id,
                 status: status,
                 duration_ms: duration_ms,
-                headers_to_sanitize: self.class.http_header_filters,
               )
 
               {
@@ -260,6 +267,13 @@ def silenced?(env, request)
             end
           end
 
+          def filter_http_headers(headers)
+            headers.each do |name, _|
+              normalized_header_name = self.class.normalize_header_name(name)
+              headers[name] = "[FILTERED]" if self.class.http_header_filters&.include?(normalized_header_name)
+            end
+          end
+
           def safe_to_i(val)
             val.nil? ? nil : val.to_i
           end
diff --git a/lib/logtail-rack/version.rb b/lib/logtail-rack/version.rb
@@ -1,7 +1,7 @@
 module Logtail
   module Integrations
     module Rack
-      VERSION = "0.2.1"
+      VERSION = "0.2.2"
     end
   end
 end
diff --git a/logtail-ruby-rack.gemspec b/logtail-ruby-rack.gemspec
@@ -12,7 +12,7 @@ Gem::Specification.new do |spec|
   spec.homepage      = "https://github.com/logtail/logtail-ruby-rack"
   spec.license       = "ISC"
 
-  spec.required_ruby_version     = '>= 2.2.10'
+  spec.required_ruby_version     = '>= 2.3'
 
   spec.metadata["homepage_uri"] = spec.homepage
   spec.metadata["source_code_uri"] = "https://github.com/logtail/logtail-ruby-rack"
diff --git a/spec/logtail-rack/http_events_spec.rb b/spec/logtail-rack/http_events_spec.rb
@@ -0,0 +1,70 @@
+require "spec_helper"
+require "logtail-rack/config"
+require 'stringio'
+
+
+RSpec.describe Logtail::Integrations::Rack::HTTPEvents do
+  let(:app) { ->(env) { [200, env, "app"] } }
+  let(:mock_request) { Rack::MockRequest.env_for('https://example.com/test-page', { 'HTTP_AUTHORIZATION' => 'Bearer secret_token', 'HTTP_CONTENT_TYPE' => 'text/plain' }) }
+
+  let :middleware do
+    described_class.new(app)
+  end
+
+  it "log HTTP request and response" do
+    logs = capture_logs { middleware.call mock_request }
+
+    expect(logs.map { |log| log['message'] }).to match(['Started GET "/test-page"', /Completed 200 OK in \d+\.\d+ms/])
+  end
+
+  it "log HTTP request headers" do
+    logs = capture_logs { middleware.call mock_request }
+
+    request_headers_json = logs.first["event"]["http_request_received"]["headers_json"]
+    expect(JSON.parse(request_headers_json)).to eq({"Authorization" => "Bearer secret_token", "Content_Type" => "text/plain"})
+  end
+
+  it "filter HTTP request headers using http_header_filters" do
+    logs = capture_logs { with_http_header_filters(%w[Authorization]) { middleware.call mock_request } }
+
+    request_headers_json = logs.first["event"]["http_request_received"]["headers_json"]
+    expect(JSON.parse(request_headers_json)).to eq({"Authorization" => "[FILTERED]", "Content_Type" => "text/plain"})
+  end
+
+  it "filter HTTP request headers using http_header_filters without regard to case or dashes" do
+    logs = capture_logs { with_http_header_filters(%w[authorization CONTENT-TYPE]) { middleware.call mock_request } }
+
+    request_headers_json = logs.first["event"]["http_request_received"]["headers_json"]
+    expect(JSON.parse(request_headers_json)).to eq({"Authorization" => "[FILTERED]", "Content_Type" => "[FILTERED]"})
+  end
+
+  it "ignores non-existent headers in http_header_filters" do
+    logs = capture_logs { with_http_header_filters(%w[Not_Found_Header]) { middleware.call mock_request } }
+
+    request_headers_json = logs.first["event"]["http_request_received"]["headers_json"]
+    expect(JSON.parse(request_headers_json)).to eq({"Authorization" => "Bearer secret_token", "Content_Type" => "text/plain"})
+  end
+
+  def capture_logs(&blk)
+    old_logger = Logtail::Config.instance.logger
+
+    string_io = StringIO.new
+    logger = Logtail::Logger.new(string_io)
+    logger.formatter = Logtail::Logger::JSONFormatter.new
+    Logtail::Config.instance.logger = logger
+
+    blk.call
+
+    string_io.string.split("\n").map { |record| JSON.parse(record) }
+  ensure
+    Logtail::Config.instance.logger = old_logger
+  end
+
+  def with_http_header_filters(headers, &blk)
+    previous_http_header_filters = Logtail::Integrations::Rack::HTTPEvents.http_header_filters = headers
+
+    blk.call
+  ensure
+    Logtail::Integrations::Rack::HTTPEvents.http_header_filters = previous_http_header_filters
+  end
+end
