From a2b410e46cb56e994b057d0094c286a4fff60c21 Mon Sep 17 00:00:00 2001
From: Tyler Bunnell <tylerbunnell@gmail.com>
Date: Mon, 8 May 2017 11:03:01 -0600
Subject: [PATCH] Custom sanitize fields. Sanitize headers.

---
 http.go      | 16 ++++++++++++----
 http_test.go | 30 +++++++++++++++++++++++++++++-
 2 files changed, 41 insertions(+), 5 deletions(-)

diff --git a/http.go b/http.go
index d5cb05a..2367e17 100644
--- a/http.go
+++ b/http.go
@@ -18,14 +18,15 @@ func NewHttp(req *http.Request) *Http {
 	h := &Http{
 		Method:  req.Method,
 		Cookies: req.Header.Get("Cookie"),
-		Query:   sanitizeQuery(req.URL.Query()).Encode(),
+		Query:   url.Values(sanitizeValues(req.URL.Query())).Encode(),
 		URL:     proto + "://" + req.Host + req.URL.Path,
 		Headers: make(map[string]string, len(req.Header)),
 	}
 	if addr, port, err := net.SplitHostPort(req.RemoteAddr); err == nil {
 		h.Env = map[string]string{"REMOTE_ADDR": addr, "REMOTE_PORT": port}
 	}
-	for k, v := range req.Header {
+
+	for k, v := range http.Header(sanitizeValues(req.Header)) {
 		h.Headers[k] = strings.Join(v, ",")
 	}
 	h.Headers["Host"] = req.Host
@@ -34,10 +35,10 @@ func NewHttp(req *http.Request) *Http {
 
 var querySecretFields = []string{"password", "passphrase", "passwd", "secret"}
 
-func sanitizeQuery(query url.Values) url.Values {
+func sanitizeValues(query map[string][]string) map[string][]string {
 	for _, keyword := range querySecretFields {
 		for field := range query {
-			if strings.Contains(field, keyword) {
+			if strings.Contains(strings.ToLower(field), strings.ToLower(keyword)) {
 				query[field] = []string{"********"}
 			}
 		}
@@ -45,6 +46,13 @@ func sanitizeQuery(query url.Values) url.Values {
 	return query
 }
 
+// AddSanitizewField adds a custom sanitize field to the array of fields to
+// search for and sanitize. This allows you to hide sensitive information in
+// both the query string and headers.
+func AddSanitizeField(field string) {
+	querySecretFields = append(querySecretFields, field)
+}
+
 // https://docs.getsentry.com/hosted/clientdev/interfaces/#context-interfaces
 type Http struct {
 	// Required
diff --git a/http_test.go b/http_test.go
index 48cae73..4c8f1a8 100644
--- a/http_test.go
+++ b/http_test.go
@@ -141,10 +141,38 @@ func parseQuery(q string) url.Values {
 
 func TestSanitizeQuery(t *testing.T) {
 	for _, test := range sanitizeQueryTests {
-		actual := sanitizeQuery(parseQuery(test.input))
+		actual := url.Values(sanitizeValues(parseQuery(test.input)))
 		expected := parseQuery(test.output)
 		if !reflect.DeepEqual(actual, expected) {
 			t.Errorf("incorrect sanitization: got %+v, want %+v", actual, expected)
 		}
 	}
 }
+
+var sanitizeHeadersTest = []struct {
+	input, output string
+}{
+	{"foo=bar", "foo=bar"},
+	{"password=foo", "password=********"},
+	{"passphrase=foo", "passphrase=********"},
+	{"passwd=foo", "passwd=********"},
+	{"secret=foo", "secret=********"},
+	{"secretstuff=foo", "secretstuff=********"},
+	{"foo=bar&secret=foo", "foo=bar&secret=********"},
+	{"secret=foo&secret=bar", "secret=********"},
+}
+
+func parseHeaders(q string) http.Header {
+	r, _ := url.ParseQuery(q)
+	return http.Header(r)
+}
+
+func TestSanitizeHeaders(t *testing.T) {
+	for _, test := range sanitizeHeadersTest {
+		actual := http.Header(sanitizeValues(parseQuery(test.input)))
+		expected := parseHeaders(test.output)
+		if !reflect.DeepEqual(actual, expected) {
+			t.Errorf("incorrect sanitization: got %+v, want %+v", actual, expected)
+		}
+	}
+}