From 80185ce741729108301d26d2cd18598baf1f9af3 Mon Sep 17 00:00:00 2001
From: Nathan Shaaban <86252985+ctrlaltf24@users.noreply.github.com>
Date: Wed, 19 Jul 2023 18:51:17 +0000
Subject: [PATCH] Hide authorization header in httprequest debug output (#2953)

Co-authored-by: Nathan Shaaban <86252985+nshaaban-cPacket@users.noreply.github.com>
Co-authored-by: Rob Ede <robjtede@icloud.com>
---
 actix-web/CHANGES.md     |  1 +
 actix-web/src/request.rs | 57 +++++++++++++++++++++++++++++++++++++++-
 2 files changed, 57 insertions(+), 1 deletion(-)

diff --git a/actix-web/CHANGES.md b/actix-web/CHANGES.md
index 6c83d129b..7e82d095a 100644
--- a/actix-web/CHANGES.md
+++ b/actix-web/CHANGES.md
@@ -10,6 +10,7 @@
 ### Changed
 
 - Handler functions can now receive up to 16 extractor parameters.
+- Hide sensitive header values in `HttpRequest`'s `Debug` output.
 - Minimum supported Rust version (MSRV) is now 1.65 due to transitive `time` dependency.
 
 ## 4.3.1 - 2023-02-26
diff --git a/actix-web/src/request.rs b/actix-web/src/request.rs
index 543c9dfbe..ece36a388 100644
--- a/actix-web/src/request.rs
+++ b/actix-web/src/request.rs
@@ -435,16 +435,28 @@ impl fmt::Debug for HttpRequest {
             self.inner.head.method,
             self.path()
         )?;
+
         if !self.query_string().is_empty() {
             writeln!(f, "  query: ?{:?}", self.query_string())?;
         }
+
         if !self.match_info().is_empty() {
             writeln!(f, "  params: {:?}", self.match_info())?;
         }
+
         writeln!(f, "  headers:")?;
+
         for (key, val) in self.headers().iter() {
-            writeln!(f, "    {:?}: {:?}", key, val)?;
+            match key {
+                // redact sensitive header values from debug output
+                &crate::http::header::AUTHORIZATION
+                | &crate::http::header::PROXY_AUTHORIZATION
+                | &crate::http::header::COOKIE => writeln!(f, "    {:?}: {:?}", key, "*redacted*")?,
+
+                _ => writeln!(f, "    {:?}: {:?}", key, val)?,
+            }
         }
+
         Ok(())
     }
 }
@@ -908,4 +920,47 @@ mod tests {
         let body = read_body(bar_resp).await;
         assert_eq!(body, "http://localhost:8080/bar/nested");
     }
+
+    #[test]
+    fn authorization_header_hidden_in_debug() {
+        let authorization_header = "Basic bXkgdXNlcm5hbWU6bXkgcGFzc3dvcmQK";
+        let req = TestRequest::get()
+            .insert_header((crate::http::header::AUTHORIZATION, authorization_header))
+            .to_http_request();
+
+        assert!(!format!("{:?}", req).contains(authorization_header));
+    }
+
+    #[test]
+    fn proxy_authorization_header_hidden_in_debug() {
+        let proxy_authorization_header = "secret value";
+        let req = TestRequest::get()
+            .insert_header((
+                crate::http::header::PROXY_AUTHORIZATION,
+                proxy_authorization_header,
+            ))
+            .to_http_request();
+
+        assert!(!format!("{:?}", req).contains(proxy_authorization_header));
+    }
+
+    #[test]
+    fn cookie_header_hidden_in_debug() {
+        let cookie_header = "secret";
+        let req = TestRequest::get()
+            .insert_header((crate::http::header::COOKIE, cookie_header))
+            .to_http_request();
+
+        assert!(!format!("{:?}", req).contains(cookie_header));
+    }
+
+    #[test]
+    fn other_header_visible_in_debug() {
+        let location_header = "192.0.0.1";
+        let req = TestRequest::get()
+            .insert_header((crate::http::header::LOCATION, location_header))
+            .to_http_request();
+
+        assert!(format!("{:?}", req).contains(location_header));
+    }
 }