Mercurial > hg-stable
changeset 42459:d3c81439e2ee
phabricator: auto-sanitise API tokens and HTTP cookies from VCR recordings
Currently when making VCR recordings one needs to manually sanitise sensitive
credentials before committing and submitting them as part of tests. It is easy
to imagine this being accidentally missed one time by a fallible human and said
credentials being leaked. It is also possible that it wouldn't be noticed to
alert the user to the leak since the recording files are so large and
practically unreviewable. Thus do so automatically, so the only place that needs
checking is in the test-phabricator.t file.
Differential Revision: https://phab.mercurial-scm.org/D6513
author | Ian Moody <moz-ian@perix.co.uk> |
---|---|
date | Tue, 11 Jun 2019 19:37:19 +0100 |
parents | c1bf63ac30c5 |
children | f33d3ee110da |
files | hgext/phabricator.py tests/test-phabricator.t |
diffstat | 2 files changed, 17 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/hgext/phabricator.py Tue Jun 11 15:46:07 2019 +0300 +++ b/hgext/phabricator.py Tue Jun 11 19:37:19 2019 +0100 @@ -134,6 +134,19 @@ r2params = r2.body.split(b'&') return set(r1params) == set(r2params) + def sanitiserequest(request): + request.body = re.sub( + r'cli-[a-z0-9]+', + r'cli-hahayouwish', + request.body + ) + return request + + def sanitiseresponse(response): + if r'set-cookie' in response[r'headers']: + del response[r'headers'][r'set-cookie'] + return response + def decorate(fn): def inner(*args, **kwargs): cassette = pycompat.fsdecode(kwargs.pop(r'test_vcr', None)) @@ -144,6 +157,8 @@ import vcr.stubs as stubs vcr = vcrmod.VCR( serializer=r'json', + before_record_request=sanitiserequest, + before_record_response=sanitiseresponse, custom_patches=[ (urlmod, r'httpconnection', stubs.VCRHTTPConnection),
--- a/tests/test-phabricator.t Tue Jun 11 15:46:07 2019 +0300 +++ b/tests/test-phabricator.t Tue Jun 11 19:37:19 2019 +0100 @@ -15,8 +15,8 @@ > hgphab.prefix = phab.mercurial-scm.org > # When working on the extension and making phabricator interaction > # changes, edit this to be a real phabricator token. When done, edit - > # it back, and make sure to also edit your VCR transcripts to match - > # whatever value you put here. + > # it back. The VCR transcripts will be auto-sanitised to replace your real + > # token with this value. > hgphab.phabtoken = cli-hahayouwish > EOF $ VCR="$TESTDIR/phabricator"