Sanitize POST body when it's JSON (pull request opbeat#189)

dsanders11 · dsanders11 · commit 196cb62593a3 · 2018-04-12T11:55:39.000-07:00
diff --git a/opbeat/processors.py b/opbeat/processors.py
@@ -13,6 +13,7 @@
 
 from opbeat.utils import six, varmap
 from opbeat.utils.encoding import force_text
+from opbeat.utils.opbeat_json import is_json, loads, dumps
 
 
 class Processor(object):
@@ -113,6 +114,8 @@ def filter_http(self, data):
 
                     data[n] = '&'.join('='.join(k) for k in querybits)
                     continue
+                if is_json(text_data):
+                    data[n] = dumps(varmap(self.sanitize, loads(text_data)))
             data[n] = varmap(self.sanitize, data[n])
 
     def process(self, data, **kwargs):
diff --git a/opbeat/utils/opbeat_json.py b/opbeat/utils/opbeat_json.py
@@ -43,3 +43,10 @@ def dumps(value, **kwargs):
 
 def loads(value, **kwargs):
     return json.loads(value, object_hook=better_decoder)
+
+def is_json(value):
+    try:
+        loads(value)
+        return True
+    except ValueError:
+        return False
diff --git a/tests/processors/tests.py b/tests/processors/tests.py
@@ -8,6 +8,7 @@
                                SanitizePasswordsProcessor)
 from opbeat.utils import six
 from opbeat.utils.encoding import force_text
+from opbeat.utils.opbeat_json import dumps
 from tests.utils.compat import TestCase
 
 
@@ -106,6 +107,40 @@ def test_post_as_string(self):
         http = result['http']
         assert 'evil' not in force_text(http['data'])
 
+    def test_post_as_json_bytes_string(self):
+        data = {
+            'http': {
+                'data': six.b(dumps({
+                    'password': 'evil',
+                    'api_key': 'evil',
+                    'harmless': 'bar'
+                })),
+            }
+        }
+        proc = SanitizePasswordsProcessor(Mock())
+        result = proc.process(data)
+        self.assertTrue('http' in result)
+        http = result['http']
+        assert 'evil' not in force_text(http['data'])
+        assert 'bar' in force_text(http['data'])
+
+    def test_post_as_json_string(self):
+        data = {
+            'http': {
+                'data': dumps({
+                    'password': 'evil',
+                    'api_key': 'evil',
+                    'harmless': 'bar'
+                }),
+            }
+        }
+        proc = SanitizePasswordsProcessor(Mock())
+        result = proc.process(data)
+        self.assertTrue('http' in result)
+        http = result['http']
+        assert 'evil' not in force_text(http['data'])
+        assert 'bar' in force_text(http['data'])
+
     def test_querystring_as_string(self):
         data = {
             'http': {
