Patchwork D6513: phabricator: auto-sanitise API tokens and HTTP cookies from VCR recordings

login
register
mail settings
Submitter phabricator
Date June 11, 2019, 6:56 p.m.
Message ID <differential-rev-PHID-DREV-igs7bqseguzpj3bmriv3-req@mercurial-scm.org>
Download mbox | patch
Permalink /patch/40431/
State Superseded
Headers show

Comments

phabricator - June 11, 2019, 6:56 p.m.
Kwan created this revision.
Herald added a subscriber: mercurial-devel.
Herald added a reviewer: hg-reviewers.

REVISION SUMMARY
  Currently when making VCR recordings one needs to manually sanitise sensitive
  credentials before committing and submitting them as part of tests. It is easy
  to imagine this being accidentally missed one time by a fallible human and said
  credentials being leaked. It is also possible that it wouldn't be noticed to
  alert the user to the leak since the recording files are so large and
  practically unreviewable. Thus do so automatically, so the only place that needs
  checking is in the test-phabricator.t file.

REPOSITORY
  rHG Mercurial

REVISION DETAIL
  https://phab.mercurial-scm.org/D6513

AFFECTED FILES
  hgext/phabricator.py
  tests/test-phabricator.t

CHANGE DETAILS




To: Kwan, #hg-reviewers
Cc: mercurial-devel

Patch

diff --git a/tests/test-phabricator.t b/tests/test-phabricator.t
--- a/tests/test-phabricator.t
+++ b/tests/test-phabricator.t
@@ -15,8 +15,8 @@ 
   > hgphab.prefix = phab.mercurial-scm.org
   > # When working on the extension and making phabricator interaction
   > # changes, edit this to be a real phabricator token. When done, edit
-  > # it back, and make sure to also edit your VCR transcripts to match
-  > # whatever value you put here.
+  > # it back. The VCR transcripts will be auto-sanitised to replace your real
+  > # token with this value.
   > hgphab.phabtoken = cli-hahayouwish
   > EOF
   $ VCR="$TESTDIR/phabricator"
diff --git a/hgext/phabricator.py b/hgext/phabricator.py
--- a/hgext/phabricator.py
+++ b/hgext/phabricator.py
@@ -134,6 +134,19 @@ 
         r2params = r2.body.split(b'&')
         return set(r1params) == set(r2params)
 
+    def sanitiserequest(request):
+        request.body = re.sub(
+            r'cli-[a-z0-9]+',
+            r'cli-hahayouwish',
+            request.body
+        )
+        return request
+
+    def sanitiseresponse(response):
+        if r'set-cookie' in response[r'headers']:
+            del response[r'headers'][r'set-cookie']
+        return response
+
     def decorate(fn):
         def inner(*args, **kwargs):
             cassette = pycompat.fsdecode(kwargs.pop(r'test_vcr', None))
@@ -144,6 +157,8 @@ 
                     import vcr.stubs as stubs
                     vcr = vcrmod.VCR(
                         serializer=r'json',
+                        before_record_request=sanitiserequest,
+                        before_record_response=sanitiseresponse,
                         custom_patches=[
                             (urlmod, r'httpconnection',
                              stubs.VCRHTTPConnection),