Tests added

rbamberger · rbamberger · commit f73c65b42842 · 2023-01-23T08:28:41.000+01:00
diff --git a/lib/java_buildpack/util/sanitizer.rb b/lib/java_buildpack/util/sanitizer.rb
@@ -18,36 +18,55 @@
 # A mixin that adds the ability to turn a +String+ into sanitized uri
 class String
 
+  # Takes the uri query params and strips out credentials
+  #
+  # @return [String] the sanitized query params
+  def handle_params(params)
+    keywords = /key
+               |password
+               |username
+               |cred(ential)*(s)*
+               |password
+               |token
+               |api[-_]token
+               |api
+               |auth(entication)*
+               |access[-_]token
+               |secret[-_]token/ix
+
+    query_params = ''
+
+    params.each do |key, value|
+      match = key.match(keywords)
+
+      if match
+        params[key] = if match[0] == 'Api-Token' && value =~ /dt\w*/
+                        value.gsub(/(dt\w*\.\w*)\.\w*/, '\1.REDACTED')
+                      else
+                        '***'
+                      end
+      end
+
+      query_params += key + '=' + params[key] + '&'
+    end
+
+    query_params
+  end
+
   # Takes a uri and strips out any credentials it may contain.
   #
   # @return [String] the sanitized uri
   def sanitize_uri
-    keywords = /key|password|username|cred[entials]*[s]*|password|token|api[-_]token|api|auth[entication]*|access[-_]token|secret[-_]token/i
-
     rich_uri          = URI(self)
     rich_uri.user     = nil
     rich_uri.password = nil
 
-    if(rich_uri.query)
-      params = Hash[URI.decode_www_form rich_uri.query]
-
-      query_params = ""
-
-      params.each do |key,value|
-        match = key.match(keywords)
-
-        if(match)
-          if(match[0] == "Api-Token" && value =~ /dt\w*/)
-            params[key] = value.gsub(/(dt\w*\.\w*)\.\w*/, '\1.REDACTED')
-          else
-            params[key] = "***"
-          end
-        end
-
-        query_params += key + "=" + params[key] + "&"
-      end
+    if rich_uri.query
+      params = (URI.decode_www_form rich_uri.query).to_h
+      query_params = handle_params(params)
       rich_uri.query = query_params.chop
     end
+
     rich_uri.to_s
   end
 end
diff --git a/spec/java_buildpack/util/sanitize_spec.rb b/spec/java_buildpack/util/sanitize_spec.rb
@@ -23,7 +23,23 @@
   include_context 'with application help'
 
   it 'sanitizes uri with credentials in' do
-    expect('https://myuser:mypass@myhost/path/to/file'.sanitize_uri).to eq('https://myhost/path/to/file')
+    expect('https://myuser:mypass@myhost/path/to/file'\
+           '?authentication=verysecret'\
+           '&cred=verysecret'\
+           '&password=verysecret'\
+           '&include=java'\
+           '&bitness=64'\
+           '&Api-Token=dt0c01.H67ALCXCXK7PWAAOQLENSRET.PRIVATEPART'\
+           '&secret-token=verysecret'\
+           '&token=123456789'.sanitize_uri).to eq('https://myhost/path/to/file'\
+                                                  '?authentication=***'\
+                                                  '&cred=***'\
+                                                  '&password=***'\
+                                                  '&include=java'\
+                                                  '&bitness=64'\
+                                                  '&Api-Token=dt0c01.H67ALCXCXK7PWAAOQLENSRET.REDACTED'\
+                                                  '&secret-token=***'\
+                                                  '&token=***')
   end
 
   it 'does not sanatize uri with no credentials in' do
