nest-raven icon indicating copy to clipboard operation
nest-raven copied to clipboard

Published 20 hours ago verified publisher icon mentos1386

Dumping entire request objects is unsafe

Open eropple opened this issue 5 years ago • 2 comments

Shipping req objects as part of error reports can lead to the leakage of secure information, including credentials. Sentry will strip "sensitive" keys in a project, but 1) users have to know to turn it on, 2) this still means you're sending the content over the wire to a third party, and 3) they won't strip all of them; Authentication headers, for example, seem to be retained, and depending on the arbitrary naming of request body fields the contents thereof may or may not actually be stripped.

I'd suggest instead a whitelist of content to send, rather than just sending an entire req object (which also results in the serialization of less-than-useful content, too).

This is probably a major version iteration, but unfortunately, as-is, nest-raven is IMO unsafe in production. I may be able to do the heavy lifting on fixes, however, if we can agree on an API.

eropple avatar Oct 07 '19 06:10 eropple

nest-raven is directly using[1] official sentry nodejs method for extracting request data [2]. Which by default extracts only some keys[3]. This can be configured[4,5], but not currently in nest-raven [6]. Would the addition of this suite your needs?

[1] https://github.com/mentos1386/nest-raven/blob/master/lib/raven.interceptor.ts#L71 [2] https://github.com/getsentry/sentry-javascript/blob/master/packages/node/src/handlers.ts#L57 [3] https://github.com/getsentry/sentry-javascript/blob/master/packages/node/src/handlers.ts#L54 [4] https://github.com/getsentry/sentry-javascript/blob/master/packages/node/src/handlers.ts#L189 [5] https://github.com/getsentry/sentry-javascript/blob/master/packages/node/src/handlers.ts#L59 [6] https://github.com/mentos1386/nest-raven/blob/master/lib/raven.interfaces.ts#L21

mentos1386 avatar Oct 10 '19 12:10 mentos1386

Hey--

So I did look at that before posting, and it seems like the keys that it extracts are shallow ones. And they make sense--pull headers, cookies, that sort of thing. Where it goes sideways is nested keys, like req.headers.authorization, which it doesn't seem to deal with (and relies on Sentry's remote sensitive-key stripping to deal with, where it can?).

I've learned from experience to lead people into making secure choices by default. Some degree of configurability here might help, but I'm still concerned overall with how easy it'll be to accidentally data-exfiltrate yourself.

eropple avatar Oct 10 '19 13:10 eropple