fix: fix regex for filtering credentials from logs

The ending "=" character of a base64 encoded string is padding. When the input length is a multiple of three (which is the case for our account id and license key), the output would not have the padding character. This results in our credentials not being filtered in the logs. This fixes the regex by removing the incorrect assumption. https://en.wikipedia.org/wiki/Base64#Output_padding
avadev · Aug 12, 2021 · bb25e4d · bb25e4d
1 parent 69822e9
commit bb25e4d
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 1 deletion.
diff --git a/lib/avatax/connection.rb b/lib/avatax/connection.rb
@@ -4,7 +4,8 @@ module AvaTax
 
   module Connection
     private
-    AUTHORIZATION_FILTER_REGEX = /(Authorization\:\ \"Basic\ )(\w+)\=/
+
+    AUTHORIZATION_FILTER_REGEX = /(Authorization:\ "Basic\ )(\w+)/
     REMOVED_LABEL = '\1[REMOVED]'
 
     def connection

diff --git a/spec/avatax/request_spec.rb b/spec/avatax/request_spec.rb
@@ -1,4 +1,5 @@
 require File.expand_path('../../spec_helper', __FILE__)
+require 'logger'
 
 describe AvaTax::Request do
 
@@ -22,4 +23,22 @@
       expect(response.env.request['timeout']).to eq(10)
     end
   end
+
+  describe 'filter credentials from logs' do
+    let(:string_io) { StringIO.new }
+    let(:logger) { Logger.new(string_io) }
+
+    it 'replaces credentials with a label' do
+      # Make 'name:pass' string length a multiple of three so the base64
+      # encoded string will not have padding characters '=' at the end.
+      @client.username = 'name'
+      @client.password = 'pass'
+
+      @client.custom_logger = logger
+      response = @client.request(:get, 'path', 'model')
+
+      expect(response.env.request_headers).to include('Authorization' => 'Basic bmFtZTpwYXNz')
+      expect(string_io.string).to match(/Authorization: "Basic \[REMOVED\]"/)
+    end
+  end
 end