Update: Filter out access tokens from error messages (#581)

src/lib/viewers/doc/DocBaseViewer.js

@@ -549,11 +549,11 @@ class DocBaseViewer extends BaseViewer {
 
                 // Display a generic error message but log the real one
                 const error = err;
-                if (err instanceof Error) {
+                if (error instanceof Error) {
                     error.displayMessage = __('error_document');
                 }
 
-                this.triggerError(err);
+                this.triggerError(error);
             });
     }
 

src/lib/viewers/error/PreviewErrorViewer.js

@@ -98,8 +98,13 @@ class PreviewErrorViewer extends BaseViewer {
 
         // The error will either be the message from the original error, the displayMessage from the orignal error,
         // or the default message from the locally created error
+        const errorMsg = err.message || displayMessage;
+
+        // Filter out any access tokens
+        const filteredMsg = errorMsg.replace(/access_token=([^&]*)/, 'access_token=[FILTERED]');
+
         this.emit('load', {
-            error: err.message || displayMessage
+            error: filteredMsg
         });
     }
 

src/lib/viewers/error/__tests__/PreviewErrorViewer-test.js

@@ -161,6 +161,21 @@ describe('lib/viewers/error/PreviewErrorViewer', () => {
                 }
             );
         });
+
+        it('should filter out access tokens before broadcasting', () => {
+            sandbox.stub(error, 'emit');
+
+            const err = new Error();
+            err.message = 'Unexpected server response (0) while retrieving PDF "www.box.com?access_token=blah&test=okay"';
+
+            error.load(err);
+
+            expect(error.emit).to.be.calledWith(
+                'load', {
+                    error: 'Unexpected server response (0) while retrieving PDF "www.box.com?access_token=[FILTERED]&test=okay"'
+                }
+            );
+        });
     });
 
     describe('addDownloadButton()', () => {