Merged PR 28411: Redact Auth header content from ErrorRecord

adityapatwardhan · adityapatwardhan · commit cfe0f9909a44 · 2023-11-09T03:24:15.000Z
Redact Auth header content from ErrorRecord
diff --git a/src/Microsoft.PowerShell.Commands.Utility/commands/utility/WebCmdlet/Common/WebRequestPSCmdlet.Common.cs b/src/Microsoft.PowerShell.Commands.Utility/commands/utility/WebCmdlet/Common/WebRequestPSCmdlet.Common.cs
@@ -836,6 +836,27 @@ private string GetBearerAuthorizationHeader()
             return string.Format("Bearer {0}", new NetworkCredential(string.Empty, Token).Password);
         }
 
+        private static HttpRequestMessage RedactAuthorizationHeader(HttpRequestMessage request)
+        {
+            if (request.Headers is not null && request.Headers.Authorization is not null && request.Headers.Authorization.Parameter is not null)
+            {
+                // redact the auth parameter, but leave the last 4 characters for developers to validate
+                // the right token was sent
+                var authParameter = request.Headers.Authorization.Parameter;
+                var redactLength = authParameter.Length - 4;
+                if (redactLength < 0)
+                {
+                    redactLength = authParameter.Length;
+                }
+
+                request.Headers.Authorization = new AuthenticationHeaderValue(
+                    request.Headers.Authorization.Scheme,
+                    string.Concat("****", authParameter.Substring(redactLength).AsSpan()));
+            }
+
+            return request;
+        }
+
         private void ProcessAuthentication()
         {
             if (Authentication == WebAuthenticationType.Basic)
@@ -1546,7 +1567,7 @@ protected override void ProcessRecord()
                                     string message = string.Format(CultureInfo.CurrentCulture, WebCmdletStrings.ResponseStatusCodeFailure,
                                         (int)response.StatusCode, response.ReasonPhrase);
                                     HttpResponseException httpEx = new(message, response);
-                                    ErrorRecord er = new(httpEx, "WebCmdletWebResponseException", ErrorCategory.InvalidOperation, request);
+                                    ErrorRecord er = new(httpEx, "WebCmdletWebResponseException", ErrorCategory.InvalidOperation, RedactAuthorizationHeader(request));
                                     string detailMsg = string.Empty;
                                     StreamReader reader = null;
                                     try
@@ -1593,15 +1614,15 @@ protected override void ProcessRecord()
                                         response.StatusCode == HttpStatusCode.Moved ||
                                         response.StatusCode == HttpStatusCode.MovedPermanently)
                                     {
-                                        ErrorRecord er = new(new InvalidOperationException(), "MaximumRedirectExceeded", ErrorCategory.InvalidOperation, request);
+                                        ErrorRecord er = new(new InvalidOperationException(), "MaximumRedirectExceeded", ErrorCategory.InvalidOperation, RedactAuthorizationHeader(request));
                                         er.ErrorDetails = new ErrorDetails(WebCmdletStrings.MaximumRedirectionCountExceeded);
                                         WriteError(er);
                                     }
                                 }
                             }
                             catch (HttpRequestException ex)
                             {
-                                ErrorRecord er = new(ex, "WebCmdletWebResponseException", ErrorCategory.InvalidOperation, request);
+                                ErrorRecord er = new(ex, "WebCmdletWebResponseException", ErrorCategory.InvalidOperation, RedactAuthorizationHeader(request));
                                 if (ex.InnerException != null)
                                 {
                                     er.ErrorDetails = new ErrorDetails(ex.InnerException.Message);
diff --git a/test/powershell/Modules/Microsoft.PowerShell.Utility/WebCmdlets.Tests.ps1 b/test/powershell/Modules/Microsoft.PowerShell.Utility/WebCmdlets.Tests.ps1
@@ -1706,6 +1706,19 @@ Describe "Invoke-WebRequest tests" -Tags "Feature", "RequireAdminOnWindows" {
 
             $result.Headers.Authorization | Should -Match "^$AuthType "
         }
+
+        It 'Invoke-WebRequest redacts Authorization header in ErrorRecord' {
+            $token = ConvertTo-SecureString -AsPlainText 'secret'
+            try {
+                Invoke-WebRequest -Authentication Bearer -Token $token -Uri https://localhost:443
+            }
+            catch {
+                $errorText = Get-Error $_ | Out-String
+            }
+
+            ($errorText | Select-String 'secret').Matches | Should -BeNullOrEmpty
+            ($errorText | Select-String '\*cret').Matches | Should -Not -BeNullOrEmpty
+        }
     }
 
     Context "Invoke-WebRequest -SslProtocol Test" {
@@ -3197,6 +3210,19 @@ Describe "Invoke-RestMethod tests" -Tags "Feature", "RequireAdminOnWindows" {
 
             $result.Headers.Authorization | Should -Match "^$AuthType "
         }
+
+        It 'Invoke-RestMethod redacts Authorization header in ErrorRecord' {
+            $token = ConvertTo-SecureString -AsPlainText 'secret'
+            try {
+                Invoke-RestMethod -Authentication Bearer -Token $token -Uri https://localhost:443
+            }
+            catch {
+                $errorText = Get-Error $_ | Out-String
+            }
+
+            ($errorText | Select-String 'secret').Matches | Should -BeNullOrEmpty
+            ($errorText | Select-String '\*cret').Matches | Should -Not -BeNullOrEmpty
+        }
     }
 
     Context "Invoke-RestMethod -SslProtocol Test" {
