Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(HTTP Request Node): Sanitize authorization headers #10607

Conversation

ShireenMissi
Copy link
Contributor

@ShireenMissi ShireenMissi commented Aug 29, 2024

Summary

The following Credentials use Base64 encoded headers and therefore were missed from the sanitisation

  • Customer IO
  • Lemlist API
  • Segment API
  • UProc API

This PR sanitise the headers based on seeing any of these keys ['authorization', 'x-api-key', 'x-auth-token', 'cookie', 'proxy-authorization', 'sslclientcert'] regardless if the credentials were encoded or not

Related Linear tickets, Github issues, and Community forum posts

https://linear.app/n8n/issue/NODE-1661/obfuscate-cred-info-in-http-node-error-messages-regression

Review / Merge checklist

  • PR title and summary are descriptive. (conventions)
  • Docs updated or follow-up ticket created.
  • Tests included.
  • PR Labeled with release/backport (if the PR is an urgent fix that needs to be backported)

@n8n-assistant n8n-assistant bot added n8n team Authored by the n8n team node/improvement New feature or request labels Aug 29, 2024
@ShireenMissi ShireenMissi added the release/backport Changes that need to be backported to older releases. label Aug 29, 2024
tomi
tomi previously approved these changes Aug 29, 2024
Copy link
Contributor

@tomi tomi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for a quick fix 👏 One suggestion for an extra test case, but also good as is

tomi
tomi previously approved these changes Aug 29, 2024
Copy link
Contributor

@tomi tomi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

Copy link

cypress bot commented Aug 29, 2024

n8n    Run #6667

Run Properties:  status check passed Passed #6667  •  git commit 5b4f1b5b18: 🌳 🖥️ browsers:node18.12.0-chrome107 🤖 ShireenMissi 🗃️ e2e/*
Project n8n
Branch Review node-1661-obfuscate-cred-info-in-http-node-error-messages-regression
Run status status check passed Passed #6667
Run duration 04m 55s
Commit git commit 5b4f1b5b18: 🌳 🖥️ browsers:node18.12.0-chrome107 🤖 ShireenMissi 🗃️ e2e/*
Committer Shireen Missi
View all properties for this run ↗︎

Test results
Tests that failed  Failures 0
Tests that were flaky  Flaky 2
Tests that did not run due to a developer annotating a test with .skip  Pending 0
Tests that did not run due to a failure in a mocha hook  Skipped 0
Tests that passed  Passing 421
View all changes introduced in this branch ↗︎

Copy link
Contributor

✅ All Cypress E2E specs passed

elsmr
elsmr previously approved these changes Aug 29, 2024
packages/nodes-base/nodes/HttpRequest/GenericFunctions.ts Outdated Show resolved Hide resolved
@ShireenMissi ShireenMissi dismissed stale reviews from elsmr and tomi via 34bda8b August 29, 2024 13:51
Copy link
Contributor

✅ All Cypress E2E specs passed

@ShireenMissi ShireenMissi merged commit 405c55a into master Aug 29, 2024
33 checks passed
@ShireenMissi ShireenMissi deleted the node-1661-obfuscate-cred-info-in-http-node-error-messages-regression branch August 29, 2024 14:28
MiloradFilipovic added a commit that referenced this pull request Aug 30, 2024
* master: (21 commits)
  feat: Add queue mode setup to benchmarks (no-changelog) (#10608)
  feat: Add n8n postgres setup to benchmarks (no-changelog) (#10604)
  fix(API): Update express-openapi-validator to resolve AIKIDO-2024-10229 (#10612)
  fix: Fix edge case in log in (no-changelog) (#10610)
  feat: Add local orchestration of benchmarks (no-changelog) (#10589)
  ci: Run nightly benchmark against nightly n8n image (no-changelog) (#10588)
  fix: Reduce variability in benchmarks (no-changelog) (#10606)
  docs: Add missing changelog entry (#10609)
  refactor(editor): Convert ResourceLocator to composition API (no-changelog) (#10526)
  feat(editor): Update new canvas node handle label rendering mechanism and design (no-changelog) (#10611)
  refactor(editor): Convert credential related components to composition API (no-changelog) (#10530)
  fix(HTTP Request Node): Sanitize authorization headers (#10607)
  refactor: Use `NodeConnectionType` consistently across the code base (no-changelog) (#10595)
  fix(editor): Hide execution buttons in readonly mode in new canvas (no-changelog) (#10603)
  fix(editor): Prevent keyboard shortcuts when ndv is open in new canvas (no-changelog) (#10601)
  fix(editor): Add confirmation toast when changing user role (#10592)
  feat(editor): Add support for changing sticky notes color in new canvas (no-changelog) (#10593)
  ci: Fix `forceConsistentCasingInFileNames` for aliased paths (no-changelog) (#10598)
  feat(editor): Allow sticky notes alongside fallback nodes in new canvas (no-changelog) (#10583)
  ci: Push nightly images to ghcr (no-changelog) (#10580)
  ...
@github-actions github-actions bot mentioned this pull request Sep 5, 2024
@janober
Copy link
Member

janober commented Sep 5, 2024

Got released with n8n@1.58.0

@detoxhby
Copy link

detoxhby commented Sep 24, 2024

After upgrading, this MR broke many many API calls on workflows where X-Api-Key / X-Auth-Token were embedded into the headers of a HTTP Request node, had to downgrade.

I understand this is necessary for specific type of nodes (as stated in the description) where you expect crendentials to be set explicitely but why would you apply this logic to the generic HTTP Request node? What's the intention behind limiting usabilty?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
n8n team Authored by the n8n team node/improvement New feature or request release/backport Changes that need to be backported to older releases. Released
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants