fix: Avoid showing authorization value in exception (#111)

jsonbailey · web-flow · commit e5f793354ebb · 2025-09-25T11:40:29.000-05:00
diff --git a/src/LaunchDarkly.EventSource/EventSourceService.cs b/src/LaunchDarkly.EventSource/EventSourceService.cs
@@ -199,7 +199,20 @@ private HttpRequestMessage CreateHttpRequestMessage(Uri uri, string lastEventId)
             {
                 foreach (var item in _configuration.RequestHeaders)
                 {
-                    request.Headers.Add(item.Key, item.Value);
+                    try
+                    {
+                        request.Headers.Add(item.Key, item.Value);
+                    }
+                    catch (FormatException)
+                    {
+                        // Avoid showing the Authorization header value in the exception message
+                        if (item.Key.Equals("Authorization", StringComparison.OrdinalIgnoreCase))
+                        {
+                            throw new FormatException("The Authorization header is invalid.");
+                        }
+
+                        throw;
+                    }
                 }
             }
 
diff --git a/test/LaunchDarkly.EventSource.Tests/EventSourceHttpBehaviorTest.cs b/test/LaunchDarkly.EventSource.Tests/EventSourceHttpBehaviorTest.cs
@@ -165,6 +165,37 @@ public void HttpRequestModifier()
             }
         }
 
+        [Fact]
+        public async Task MalformedAuthorizationHeaderDoesNotExposeKeyInException()
+        {
+            using (var server = HttpServer.Start(EmptyStreamThatStaysOpen))
+            {
+                var taskComplete = new TaskCompletionSource<bool>();
+                var errorMessage = string.Empty;
+
+                var invalidSdkKey = "\nsecret-api-key-with";
+                var headers = new Dictionary<string, string> { { "Authorization", invalidSdkKey } };
+
+                using (var es = MakeEventSource(server.Uri, builder => builder.RequestHeaders(headers)))
+                {
+                    es.Error += (sender, args) =>
+                    {
+                        errorMessage = args.Exception.Message;
+                        taskComplete.SetResult(true);
+                    };
+
+                    _ = Task.Run(es.StartAsync);
+
+                    // Wait for the error event with a timeout
+                    var timeoutTask = Task.Delay(TimeSpan.FromSeconds(5));
+                    var completedTask = await Task.WhenAny(taskComplete.Task, timeoutTask);
+
+                    Assert.True(completedTask == taskComplete.Task, "Test timed out waiting for error event");
+                    Assert.DoesNotContain(invalidSdkKey, errorMessage);
+                }
+            }
+        }
+
         [Fact]
         public async void OpenedEventIncludesHeaders()
         {

Original file line number	Diff line number	Diff line change
`@@ -199,7 +199,20 @@ private HttpRequestMessage CreateHttpRequestMessage(Uri uri, string lastEventId)`
`199`	`199`	`{`
`200`	`200`	`foreach (var item in _configuration.RequestHeaders)`
`201`	`201`	`{`
`202`		`- request.Headers.Add(item.Key, item.Value);`
	`202`	`+ try`
	`203`	`+ {`
	`204`	`+ request.Headers.Add(item.Key, item.Value);`
	`205`	`+ }`
	`206`	`+ catch (FormatException)`
	`207`	`+ {`
	`208`	`+ // Avoid showing the Authorization header value in the exception message`
	`209`	`+ if (item.Key.Equals("Authorization", StringComparison.OrdinalIgnoreCase))`
	`210`	`+ {`
	`211`	`+ throw new FormatException("The Authorization header is invalid.");`
	`212`	`+ }`
	`213`	`+`
	`214`	`+ throw;`
	`215`	`+ }`
`203`	`216`	`}`
`204`	`217`	`}`
`205`	`218`