Comments (2)
It's to avoid leaking the authentication cookies of Webhook.site users, although I would say it could be done in a more elegant way.
from webhook.site.
It's to avoid leaking the authentication cookies of Webhook.site users, although I would say it could be done in a more elegant way.
Got it, got it, thanks, I didn't consider that webhook URLs are meant to be publicly shareable. I completely understand that this isn't a priority, but it would be cool if instead of dropping the Cookie header entirely, you instead replaced the webhooksite_session
value with "<redacted>". I attempted to draft some code for this but as I'm not familiar with PHP (and the cloud codebase may differ here), it may be incorrect:
./app/Storage/Request.php
@@ -1,9 +1,11 @@
use Carbon\Carbon;
use Illuminate\Http\Request as HttpRequest;
use Ramsey\Uuid\Uuid;
+use Symfony\Component\HttpFoundation\HeaderUtils;
+
class Request extends Entity
{
/**
* @param $tokenId
* @param null $requestId
@@ -22,10 +24,18 @@
* @param HttpRequest $httpRequest
* @return Request
*/
public static function createFromRequest(HttpRequest $httpRequest)
{
+ $cookies = $httpRequest->cookies();
+ $auth_token_name = 'webhooksite_session';
+ if ($cookies->get($auth_token_name)) {
+ $cookies->set($auth_token_name, '<redacted>');
+ $redactedCookiesVal = HeaderUtils::toString($cookies->all(), '; ');
+ $httpRequest->headers->set('cookie', $redactedCookiesVal);
+ }
+
$request = new self([
'uuid' => Uuid::uuid4()->toString(),
'token_id' => $httpRequest->tokenId,
'ip' => $httpRequest->ip(),
'hostname' => $httpRequest->getHost(),
While this approach does have the downside of normalizing the HTTP header value (removing whitespace and potentially also normalizing the case), I would still prefer the behavior over just dropping the Cookie header entirely. However, since this is an issue most people wouldn't be concerned with, I understand if you'd like to avoid the additional complexity/capacity for bugs altogether.
from webhook.site.
Related Issues (20)
- Lyes
- FetchError: request to webhook.site HOT 1
- Multipart/Form-Data HOT 2
- ETH
- Use `x-forwarded-for` as `Host` HOT 1
- [Feature request] Dark theme HOT 1
- Hey where to report security issues ? HOT 1
- Configure docker-compose to use a personal REDIS instance
- Self Hosted SSL Support? HOT 2
- Does the self hosted version have the email functionality? HOT 1
- docs website unavailable: Unsupported SSL protocol HOT 2
- 500 Internal error when content is Gzip Encoded
- Programmatically get UUID HOT 1
- can't setup webhook.site as multiple containers HOT 1
- how can I set the request body for value on webhook.site response body HOT 1
- [Feature request] customize email username+hostname HOT 1
- exec /init: exec format error HOT 3
- Webkkkkok HOT 1
- http header names that contains _(underscore) are not displayed. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webhook.site.