-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(HTTP Request Node): Sanitize authorization headers #10607
fix(HTTP Request Node): Sanitize authorization headers #10607
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for a quick fix 👏 One suggestion for an extra test case, but also good as is
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚀
n8n Run #6667
Run Properties:
|
Project |
n8n
|
Branch Review |
node-1661-obfuscate-cred-info-in-http-node-error-messages-regression
|
Run status |
Passed #6667
|
Run duration | 04m 55s |
Commit |
5b4f1b5b18: 🌳 🖥️ browsers:node18.12.0-chrome107 🤖 ShireenMissi 🗃️ e2e/*
|
Committer | Shireen Missi |
View all properties for this run ↗︎ |
Test results | |
---|---|
Failures |
0
|
Flaky |
2
|
Pending |
0
|
Skipped |
0
|
Passing |
421
|
View all changes introduced in this branch ↗︎ |
✅ All Cypress E2E specs passed |
✅ All Cypress E2E specs passed |
* master: (21 commits) feat: Add queue mode setup to benchmarks (no-changelog) (#10608) feat: Add n8n postgres setup to benchmarks (no-changelog) (#10604) fix(API): Update express-openapi-validator to resolve AIKIDO-2024-10229 (#10612) fix: Fix edge case in log in (no-changelog) (#10610) feat: Add local orchestration of benchmarks (no-changelog) (#10589) ci: Run nightly benchmark against nightly n8n image (no-changelog) (#10588) fix: Reduce variability in benchmarks (no-changelog) (#10606) docs: Add missing changelog entry (#10609) refactor(editor): Convert ResourceLocator to composition API (no-changelog) (#10526) feat(editor): Update new canvas node handle label rendering mechanism and design (no-changelog) (#10611) refactor(editor): Convert credential related components to composition API (no-changelog) (#10530) fix(HTTP Request Node): Sanitize authorization headers (#10607) refactor: Use `NodeConnectionType` consistently across the code base (no-changelog) (#10595) fix(editor): Hide execution buttons in readonly mode in new canvas (no-changelog) (#10603) fix(editor): Prevent keyboard shortcuts when ndv is open in new canvas (no-changelog) (#10601) fix(editor): Add confirmation toast when changing user role (#10592) feat(editor): Add support for changing sticky notes color in new canvas (no-changelog) (#10593) ci: Fix `forceConsistentCasingInFileNames` for aliased paths (no-changelog) (#10598) feat(editor): Allow sticky notes alongside fallback nodes in new canvas (no-changelog) (#10583) ci: Push nightly images to ghcr (no-changelog) (#10580) ...
Got released with |
After upgrading, this MR broke many many API calls on workflows where I understand this is necessary for specific type of nodes (as stated in the description) where you expect crendentials to be set explicitely but why would you apply this logic to the generic HTTP Request node? What's the intention behind limiting usabilty? |
Summary
The following Credentials use Base64 encoded headers and therefore were missed from the sanitisation
This PR sanitise the headers based on seeing any of these keys ['authorization', 'x-api-key', 'x-auth-token', 'cookie', 'proxy-authorization', 'sslclientcert'] regardless if the credentials were encoded or not
Related Linear tickets, Github issues, and Community forum posts
https://linear.app/n8n/issue/NODE-1661/obfuscate-cred-info-in-http-node-error-messages-regression
Review / Merge checklist
release/backport
(if the PR is an urgent fix that needs to be backported)