GithubHelp home page GithubHelp logo

Comments (2)

fredsted avatar fredsted commented on June 25, 2024

It's to avoid leaking the authentication cookies of Webhook.site users, although I would say it could be done in a more elegant way.

from webhook.site.

srithon avatar srithon commented on June 25, 2024

It's to avoid leaking the authentication cookies of Webhook.site users, although I would say it could be done in a more elegant way.

Got it, got it, thanks, I didn't consider that webhook URLs are meant to be publicly shareable. I completely understand that this isn't a priority, but it would be cool if instead of dropping the Cookie header entirely, you instead replaced the webhooksite_session value with "<redacted>". I attempted to draft some code for this but as I'm not familiar with PHP (and the cloud codebase may differ here), it may be incorrect:

./app/Storage/Request.php
@@ -1,9 +1,11 @@
 use Carbon\Carbon;
 use Illuminate\Http\Request as HttpRequest;
 use Ramsey\Uuid\Uuid;
 
+use Symfony\Component\HttpFoundation\HeaderUtils;
+
 class Request extends Entity
 {
     /**
      * @param $tokenId
      * @param null $requestId
@@ -22,10 +24,18 @@
      * @param HttpRequest $httpRequest
      * @return Request
      */
     public static function createFromRequest(HttpRequest $httpRequest)
     {
+        $cookies = $httpRequest->cookies();
+        $auth_token_name = 'webhooksite_session';
+        if ($cookies->get($auth_token_name)) {
+            $cookies->set($auth_token_name, '<redacted>');
+            $redactedCookiesVal = HeaderUtils::toString($cookies->all(), '; ');
+            $httpRequest->headers->set('cookie', $redactedCookiesVal);
+        }
+
         $request = new self([
             'uuid' => Uuid::uuid4()->toString(),
             'token_id' => $httpRequest->tokenId,
             'ip' => $httpRequest->ip(),
             'hostname' => $httpRequest->getHost(),

While this approach does have the downside of normalizing the HTTP header value (removing whitespace and potentially also normalizing the case), I would still prefer the behavior over just dropping the Cookie header entirely. However, since this is an issue most people wouldn't be concerned with, I understand if you'd like to avoid the additional complexity/capacity for bugs altogether.

from webhook.site.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.