feat: hmac authentication strategy and response verification#8262
feat: hmac authentication strategy and response verification#8262bitgoAaron wants to merge 1 commit intomasterfrom
Conversation
- Updated function to be asynchronous, allowing for better handling of HMAC verification. - Introduced for default HMAC handling and added support for custom strategies. - Integrated for browser compatibility, enabling HMAC signing and verification using the Web Crypto API. - Enhanced to utilize the new HMAC strategies for request signing and response verification. - Added unit tests for the new HMAC strategies and their integration with the BitGoAPI. - Updated web demo to include a new component for WebCrypto authentication. Ticket: CE-10122
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| 'sending v2 %s request to %s with token %s', | ||
| method, | ||
| url, | ||
| this._token?.substr(0, 8) ?? '(strategy-managed)' |
Check warning
Code scanning / CodeQL
Log injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 14 hours ago
In general, to fix log injection, any user-controlled value that is written to logs should be sanitized to remove characters that can break the log format (such as \r and \n) or otherwise be encoded/escaped. For plain-text logs, a simple and effective approach is to strip carriage-return and newline characters from the value before interpolation, while keeping the semantics the same for non-malicious inputs.
In this specific case, the only problematic usage is in modules/sdk-api/src/bitgoAPI.ts, where this._token?.substr(0, 8) ?? '(strategy-managed)' is interpolated into a debug() call. The best minimal fix is to compute a local safeTokenPrefix that is based on the same 8-character prefix but with any \r or \n characters removed, and then log that sanitized prefix instead of the raw substring. This does not change functional behavior (the token is not used for logic, only for display) but ensures that no unexpected newlines can be injected into the log. No new imports or external libraries are required; we can use String.prototype.replace with a simple regex.
Concretely, in requestPatch where debug('sending v2 %s request to %s with token %s', ...) is called, we will introduce a local const safeTokenPrefix = this._token ? this._token.substr(0, 8).replace(/[\r\n]/g, '') : '(strategy-managed)'; and then pass safeTokenPrefix as the third format argument to debug. This confines the change to the immediate logging context and preserves the existing logging format.
| @@ -460,12 +460,11 @@ | ||
| req.set('Auth-Timestamp', requestProperties.timestamp.toString()); | ||
|
|
||
| req.set('Authorization', 'Bearer ' + requestProperties.tokenHash); | ||
| debug( | ||
| 'sending v2 %s request to %s with token %s', | ||
| method, | ||
| url, | ||
| this._token?.substr(0, 8) ?? '(strategy-managed)' | ||
| ); | ||
| const safeTokenPrefix = | ||
| this._token !== undefined && this._token !== null | ||
| ? this._token.substr(0, 8).replace(/[\r\n]/g, '') | ||
| : '(strategy-managed)'; | ||
| debug('sending v2 %s request to %s with token %s', method, url, safeTokenPrefix); | ||
|
|
||
| req.set('HMAC', requestProperties.hmac); | ||
| } |
1 participant
Ticket: CE-10122