remove cookies as well

apache · Sep 21, 2023 · 6d6b0cc · 6d6b0cc
1 parent 02cacb7
commit 6d6b0cc
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 8 deletions.
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/protocol/RequestTraceInterceptor.java b/httpclient5/src/main/java/org/apache/hc/client5/http/protocol/RequestTraceInterceptor.java
@@ -41,6 +41,8 @@
 import org.apache.hc.core5.http.ProtocolException;
 import org.apache.hc.core5.http.protocol.HttpContext;
 import org.apache.hc.core5.util.Args;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  * <h1>RequestTraceInterceptor</h1>
@@ -49,15 +51,15 @@
  *
  * <p><strong>Responsibilities:</strong></p>
  * <ul>
- *   <li>Sanitizes TRACE requests by removing sensitive headers such as {@code Authorization}.</li>
+ *   <li>Sanitizes TRACE requests by removing sensitive headers such as {@code Authorization} and {@code Cookie}.</li>
  *   <li>Ensures that TRACE requests do not contain a request body, throwing a {@link ProtocolException} if a body is present.</li>
  * </ul>
  *
  * <p><strong>Thread Safety:</strong> This class is stateless and therefore thread-safe, as indicated by its {@code ThreadingBehavior.STATELESS} annotation.</p>
  *
  * <p><strong>Interceptor Behavior:</strong></p>
  * <ul>
- *   <li>If the HTTP method is TRACE, the interceptor removes any {@code Authorization} headers to prevent sensitive data leakage.</li>
+ *   <li>If the HTTP method is TRACE, the interceptor removes any {@code Authorization} and {@code Cookie} headers to prevent sensitive data leakage.</li>
  *   <li>If a TRACE request contains a body, a {@link ProtocolException} is thrown.</li>
  * </ul>
  *
@@ -68,10 +70,13 @@
  * @see ProtocolException
  * @see Method#TRACE
  * @see HttpHeaders#AUTHORIZATION
+ * @see HttpHeaders#COOKIE
  */
 @Contract(threading = ThreadingBehavior.STATELESS)
 public class RequestTraceInterceptor implements HttpRequestInterceptor {
 
+    private static final Logger LOG = LoggerFactory.getLogger(RequestTraceInterceptor.class);
+
     /**
      * Singleton instance of {@link RequestTraceInterceptor}.
      */
@@ -88,6 +93,7 @@ public RequestTraceInterceptor() {
      * Processes an incoming HTTP request. If the request is of type TRACE, it performs the following actions:
      * <ul>
      *   <li>Removes the {@code Authorization} header to prevent sensitive data leakage.</li>
+     *   <li>Removes the {@code Cookie} header to prevent sensitive data leakage.</li>
      *   <li>Throws a {@link ProtocolException} if the request contains a body.</li>
      * </ul>
      *
@@ -100,21 +106,38 @@ public RequestTraceInterceptor() {
     @Override
     public void process(final HttpRequest request, final EntityDetails entity, final HttpContext context)
             throws HttpException, IOException {
+
         Args.notNull(request, "HTTP request");
+        Args.notNull(context, "HTTP context");
 
         // Check if the request method is TRACE
         if (Method.TRACE.isSame(request.getMethod())) {
-            // Check for sensitive headers
-            final Header header = request.getHeader(HttpHeaders.AUTHORIZATION);
-            // Remove the sensitive header
-            if (header != null) {
-                request.removeHeaders(HttpHeaders.AUTHORIZATION);
-            }
 
             //A client MUST NOT send content in a TRACE request.
             if (entity != null) {
                 throw new ProtocolException("TRACE request MUST NOT contain a request body.");
             }
+
+            // Check for sensitive headers
+            final Header authHeader = request.getHeader(HttpHeaders.AUTHORIZATION);
+            // Remove the sensitive Authorization header
+            if (authHeader != null) {
+                request.removeHeaders(HttpHeaders.AUTHORIZATION);
+                // Log the removal of the Authorization header
+                if (LOG.isDebugEnabled()) {
+                    LOG.debug("Authorization header removed from TRACE request.");
+                }
+            }
+
+            // Remove cookies
+            final Header cookieHeader = request.getHeader(HttpHeaders.COOKIE);
+            if (cookieHeader != null) {
+                request.removeHeaders(HttpHeaders.COOKIE);
+                // Log the removal of the Cookie header
+                if (LOG.isDebugEnabled()) {
+                    LOG.debug("Cookie header removed from TRACE request.");
+                }
+            }
         }
     }
 }
diff --git a/...lient5/src/test/java/org/apache/hc/client5/http/protocol/TestRequestTraceInterceptor.java b/...lient5/src/test/java/org/apache/hc/client5/http/protocol/TestRequestTraceInterceptor.java
@@ -87,4 +87,12 @@ void testNonTraceRequest() throws HttpException, IOException {
         assertNotNull(request.getHeader(HttpHeaders.AUTHORIZATION));
     }
 
+    @Test
+    void testTraceRequestWithCookieHeader() throws HttpException, IOException {
+        request = new BasicHttpRequest("TRACE", "/");
+        request.setHeader(HttpHeaders.COOKIE, "someCookie=someValue");
+        interceptor.process(request, null, context);
+        assertNull(request.getHeader(HttpHeaders.COOKIE));
+    }
+
 }