yii2-debug icon indicating copy to clipboard operation
yii2-debug copied to clipboard

Published 20 hours ago verified publisher icon yiisoft

[Feature] Filtering fields in the debug bar

Open DBX12 opened this issue 2 years ago • 8 comments

As a developer I want to filter certain fields from the debug page to prevent leaking secrets. The debug page currently lists all and everything it can get, some fields should not be shown when in a shared development environment. I would make it configurable per panel and only filter the Request and User panel. What do you think about this? I would prepare a PR if it is interesting for the project.

DBX12 avatar Mar 04 '22 10:03 DBX12

Could you provide an example of the danger you would like to prevent with it?

bizley avatar Mar 04 '22 12:03 bizley

For example in the requests tab, the Authorization header could be censored as it contains credentials. That's no problem but bad when you have a shared debug stage. My idea would be configuring the request panel with an array of header names which should be censored.

edit: Removed noise added with "reply by mail"

DBX12 avatar Mar 05 '22 17:03 DBX12

I'm asking since the debug panel should not be enabled for users other than developer(s). This concept of "shared" debug stage sounds wrong.

bizley avatar Mar 07 '22 07:03 bizley

The shared debug environment is not uncommon in commercial settings I guess since you can run integration tests against other systems there or have your QA team work on it and report issues to the dev team. In our setting, it is a duplicate of the production system but with dummy data, YII_ENV set to dev and ip-locked to the office on the OS level. While not really a valid argument, I want to note that a common laravel debug page (whoops) has this capability too.

DBX12 avatar Mar 07 '22 10:03 DBX12

Ok, sounds legit then. LogTarget used in the debug panel can be configured since #469 and this allows us to use the features of https://github.com/yiisoft/yii2/blob/master/framework/log/Target.php with $maskVars and so on. Do you reckon this is enough to keep the data safe or something extra is necessary?

bizley avatar Mar 07 '22 11:03 bizley

I think using $maskVars won't work since the request panel is not using the log target, is it? I thought about not adding the values to $requestHeaders and $responseHeaders if the name is in the filter list. One example from RequestPanel.php:61

foreach ($headers as $name => $value) {
  if (in_array($name, $filterList) {
    continue;
  }
  if (is_array($value) && count($value) == 1) {
    $requestHeaders[$name] = current($value);
  } else {
    $requestHeaders[$name] = $value;
  }
}

Filtering the global vars GET and POST would be a bit more work, but still doable. For the UserPanel, I would need to look deeper into it (what exactly is shown, what would be sensible to make filterable).

DBX12 avatar Mar 10 '22 08:03 DBX12

It is but I'm not sure if this is enough.

bizley avatar Mar 10 '22 08:03 bizley

The detail view of the request panel is rendered with a view file and simple <?= tags so I doubt the logTarget does anything here.

DBX12 avatar Mar 11 '22 07:03 DBX12