Skip to content
This repository has been archived by the owner on Jun 11, 2018. It is now read-only.

Sanitize POST body when it's JSON #189

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Sanitize POST body when it's JSON #189

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions opbeat/processors.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@

from opbeat.utils import six, varmap
from opbeat.utils.encoding import force_text
from opbeat.utils.opbeat_json import is_json, loads, dumps


class Processor(object):
Expand Down Expand Up @@ -113,6 +114,8 @@ def filter_http(self, data):

data[n] = '&'.join('='.join(k) for k in querybits)
continue
if is_json(text_data):
data[n] = dumps(varmap(self.sanitize, loads(text_data)))
data[n] = varmap(self.sanitize, data[n])

def process(self, data, **kwargs):
Expand Down
7 changes: 7 additions & 0 deletions opbeat/utils/opbeat_json.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,3 +43,10 @@ def dumps(value, **kwargs):

def loads(value, **kwargs):
return json.loads(value, object_hook=better_decoder)

def is_json(value):
try:
loads(value)
return True
except ValueError:
return False
35 changes: 35 additions & 0 deletions tests/processors/tests.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
SanitizePasswordsProcessor)
from opbeat.utils import six
from opbeat.utils.encoding import force_text
from opbeat.utils.opbeat_json import dumps
from tests.utils.compat import TestCase


Expand Down Expand Up @@ -106,6 +107,40 @@ def test_post_as_string(self):
http = result['http']
assert 'evil' not in force_text(http['data'])

def test_post_as_json_bytes_string(self):
data = {
'http': {
'data': six.b(dumps({
'password': 'evil',
'api_key': 'evil',
'harmless': 'bar'
})),
}
}
proc = SanitizePasswordsProcessor(Mock())
result = proc.process(data)
self.assertTrue('http' in result)
http = result['http']
assert 'evil' not in force_text(http['data'])
assert 'bar' in force_text(http['data'])

def test_post_as_json_string(self):
data = {
'http': {
'data': dumps({
'password': 'evil',
'api_key': 'evil',
'harmless': 'bar'
}),
}
}
proc = SanitizePasswordsProcessor(Mock())
result = proc.process(data)
self.assertTrue('http' in result)
http = result['http']
assert 'evil' not in force_text(http['data'])
assert 'bar' in force_text(http['data'])

def test_querystring_as_string(self):
data = {
'http': {
Expand Down