Skip to content

Commit

Permalink
sanitize client request id and correlation id
Browse files Browse the repository at this point in the history
  • Loading branch information
bilfeldt committed Sep 28, 2023
1 parent fee1d9d commit 1162b2f
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 2 deletions.
17 changes: 15 additions & 2 deletions src/CorrelationIdServiceProvider.php
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ class CorrelationIdServiceProvider extends ServiceProvider
{
public const PAYLOAD_KEY_CORRELATION_ID = 'correlation_id';

// Remove all characters that are not the dash, letters, numbers, or whitespace
public static string $sanitize = '/[^a-zA-Z0-9-]/';

public static function getClientRequestIdHeaderName(): string
{
return config('correlation-id.client_request_id_header');
Expand Down Expand Up @@ -97,7 +100,12 @@ protected function bootRequestGetCorrelationIdMacro(): void
{
if (! Request::hasMacro('getCorrelationId')) {
Request::macro('getCorrelationId', function (): ?string {
return $this->header(CorrelationIdServiceProvider::getCorrelationIdHeaderName());
if (! $this->hasHeader(CorrelationIdServiceProvider::getCorrelationIdHeaderName())) {
return null;
}

// Sanitize the correlation id as a safety precaution
return preg_replace(CorrelationIdServiceProvider::$sanitize, '', $this->header(CorrelationIdServiceProvider::getCorrelationIdHeaderName()));
});
} else {
Log::warning('Request::getCorrelationId() already exists, skipping macro registration.');
Expand All @@ -108,7 +116,12 @@ protected function bootRequestGetClientRequestIdMacro(): void
{
if (! Request::hasMacro('getClientRequestId')) {
Request::macro('getClientRequestId', function (): ?string {
return $this->header(CorrelationIdServiceProvider::getClientRequestIdHeaderName());
if (! $this->hasHeader(CorrelationIdServiceProvider::getClientRequestIdHeaderName())) {
return null;
}

// Sanitize the correlation id as a safety precaution
return preg_replace(CorrelationIdServiceProvider::$sanitize, '', $this->header(CorrelationIdServiceProvider::getClientRequestIdHeaderName()));
});
} else {
Log::warning('Request::getClientRequestId() already exists, skipping macro registration.');
Expand Down
16 changes: 16 additions & 0 deletions tests/Feature/RequestMacroTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,14 @@ public function test_get_correlation_id_macro(): void
$this->assertEquals('test-correlation-id', $request->getCorrelationId());
}

public function test_correlation_id_is_sanitize(): void
{
$request = new Request();
$request->headers->set('Correlation-ID', 'this-SHOULD-be-<sanitized>% !-in-a-good-123-implementation');

$this->assertEquals('this-SHOULD-be-sanitized-in-a-good-123-implementation', $request->getCorrelationId());
}

public function test_request_macro_get_client_request_id_is_registered()
{
$this->assertTrue((new Request())->hasMacro('getClientRequestId'));
Expand All @@ -40,6 +48,14 @@ public function test_get_client_request_id_macro(): void
$this->assertEquals('test-request-id', $request->getClientRequestId());
}

public function test_client_request_id_is_sanitize(): void
{
$request = new Request();
$request->headers->set('Request-ID', 'this-SHOULD-be-<sanitized>% !-in-a-good-123-implementation');

$this->assertEquals('this-SHOULD-be-sanitized-in-a-good-123-implementation', $request->getClientRequestId());
}

public function test_request_macro_get_unique_id_is_registered()
{
$this->assertTrue((new Request())->hasMacro('getUniqueId'));
Expand Down

0 comments on commit 1162b2f

Please sign in to comment.