Security | Also mask lowercased variant of filter params

[onlime]

The current set of default request-logger.filters in config/request-logger.php is quite misleading:

    'filters' => [
        'password',
        'password_confirm',
        'apikey',
        'api_token',
        'Authorization', // 💥
        'filter.search',
    ],

You could assume that Request header keys are Pascal-Cased, as the sample filters contain Authorization. This is widely used, even though the standards say they are case insensitive and should be lowercased.

In my case, this led to a security issue, as none of my webhook's authorization headers were masked in RequestLog model's headers attribute. The current implementation of RequestLog::replaceParameters() is case-sensitive, but the Request headers were actually lowercased. Arr::get() and Arr::set() are also case-sensitive.

As a workaround, I am now search-replacing both variants, the original filter key plus its lowercased version. So we can safely leave Authorization in the default config.

In addition, this PR now masks the filtered values by the same length of asterisks (BEFORE: fixed-length ********), for improved debugging.

[onlime]

and for the ones that suffer from the same flaw, without destroying all request_log data, you may sanitize it like this:

UPDATE `request_logs` SET `headers` = REGEXP_REPLACE(`headers`, 'Bearer:?\s*[^"]+', '********') WHERE `headers` LIKE '%authorization%';