diff --git a/packages/js/remote-logging/README.md b/packages/js/remote-logging/README.md index 49dac108054..c98a43a9ed8 100644 --- a/packages/js/remote-logging/README.md +++ b/packages/js/remote-logging/README.md @@ -172,3 +172,27 @@ addFilter( (endpoint) => 'https://my-custom-endpoint.com/js-error-log' ); ``` + +### `woocommerce_remote_logging_request_uri_whitelist` + +Modifies the list of whitelisted query parameters that won't be masked in the logged request URI + +**Parameters:** + +- `whitelist` (string[]): The default whitelist. + +**Return value:** (string[]) The modified whitelist. + +**Usage example:** + +```js +import { addFilter } from '@wordpress/hooks'; + +addFilter( + 'woocommerce_remote_logging_request_uri_whitelist', + 'my-plugin', + ( whitelist ) => { + return [ ...whitelist, 'exampleParam' ] + } +); +``` diff --git a/packages/js/remote-logging/changelog/add-query-params-sanitisation b/packages/js/remote-logging/changelog/add-query-params-sanitisation new file mode 100644 index 00000000000..59d27ec04e8 --- /dev/null +++ b/packages/js/remote-logging/changelog/add-query-params-sanitisation @@ -0,0 +1,4 @@ +Significance: minor +Type: update + +Add query params sanitisation diff --git a/packages/js/remote-logging/src/remote-logger.ts b/packages/js/remote-logging/src/remote-logger.ts index 06832a995d8..c35024a7110 100644 --- a/packages/js/remote-logging/src/remote-logger.ts +++ b/packages/js/remote-logging/src/remote-logger.ts @@ -33,6 +33,44 @@ export const REMOTE_LOGGING_LOG_ENDPOINT_FILTER = export const REMOTE_LOGGING_JS_ERROR_ENDPOINT_FILTER = 'woocommerce_remote_logging_js_error_endpoint'; +export const REMOTE_LOGGING_REQUEST_URI_PARAMS_WHITELIST_FILTER = + 'woocommerce_remote_logging_request_uri_whitelist'; + +export const REMPOTE_LOGGING_REQUEST_URI_PARAMS_DEFAULT_WHITELIST = [ + 'path', + 'page', + 'step', + 'task', + 'tab', + 'section', + 'status', + 'post_type', + 'taxonomy', + 'action', +]; + +export const sanitiseRequestUriParams = ( search: string ) => { + const params = new URLSearchParams( search ); + + /** + * This filter modifies the list of whitelisted query parameters that won't be masked + * in the logged request URI + * + * @filter woocommerce_remote_logging_request_uri_whitelist + * @param {string[]} whitelist The default whitelist + */ + const whitelist = applyFilters( + REMOTE_LOGGING_REQUEST_URI_PARAMS_WHITELIST_FILTER, + REMPOTE_LOGGING_REQUEST_URI_PARAMS_DEFAULT_WHITELIST + ) as typeof REMPOTE_LOGGING_REQUEST_URI_PARAMS_DEFAULT_WHITELIST; + for ( const [ key ] of params ) { + if ( ! whitelist.includes( key ) ) { + params.set( key, 'xxxxxx' ); + } + } + return params.toString(); +}; + const REMOTE_LOGGING_LAST_ERROR_SENT_KEY = 'wc_remote_logging_last_error_sent_time'; @@ -106,7 +144,8 @@ export class RemoteLogger { properties: { ...extraData?.properties, request_uri: - window.location.pathname + window.location.search, + window.location.pathname + + sanitiseRequestUriParams( window.location.search ), }, } ), trace: this.getFormattedStackFrame( @@ -213,7 +252,8 @@ export class RemoteLogger { tags: [ 'js-unhandled-error' ], properties: { request_uri: - window.location.pathname + window.location.search, + window.location.pathname + + sanitiseRequestUriParams( window.location.search ), }, } ), trace: this.getFormattedStackFrame( trace ), diff --git a/packages/js/remote-logging/src/test/index.ts b/packages/js/remote-logging/src/test/index.ts index 66a06a42f50..617467f3561 100644 --- a/packages/js/remote-logging/src/test/index.ts +++ b/packages/js/remote-logging/src/test/index.ts @@ -13,6 +13,8 @@ import { REMOTE_LOGGING_ERROR_DATA_FILTER, REMOTE_LOGGING_LOG_ENDPOINT_FILTER, REMOTE_LOGGING_JS_ERROR_ENDPOINT_FILTER, + sanitiseRequestUriParams, + REMOTE_LOGGING_REQUEST_URI_PARAMS_WHITELIST_FILTER, } from '../remote-logger'; import { fetchMock } from './__mocks__/fetch'; @@ -380,3 +382,24 @@ describe( 'captureException', () => { expect( fetchMock ).not.toHaveBeenCalled(); } ); } ); + +describe( 'sanitiseRequestUriParams', () => { + afterEach(() => { + removeFilter(REMOTE_LOGGING_REQUEST_URI_PARAMS_WHITELIST_FILTER, 'test' ); + }) + it( 'should replace non-whitelisted params with xxxxxx', () => { + expect(sanitiseRequestUriParams('?path=home&user=admin&token=abc123')).toEqual('path=home&user=xxxxxx&token=xxxxxx') + }) + it( 'should not replace whitelisted params with xxxxxx', () => { + expect(sanitiseRequestUriParams('?path=home')).toEqual('path=home') + }) + it( 'should not do anything if empty string is passed in', () => { + expect(sanitiseRequestUriParams('')).toEqual('') + }) + it( 'should apply filters correctly', () => { + addFilter( REMOTE_LOGGING_REQUEST_URI_PARAMS_WHITELIST_FILTER, 'test', (defaultWhitelist) => { + return [ ... defaultWhitelist, 'foo' ]; + }) + expect(sanitiseRequestUriParams('?path=home&foo=bar&user=admin&token=abc123')).toEqual('path=home&foo=bar&user=xxxxxx&token=xxxxxx') + }) +}) \ No newline at end of file diff --git a/plugins/woocommerce/changelog/add-more-params-to-remote-logger-whitelist b/plugins/woocommerce/changelog/add-more-params-to-remote-logger-whitelist new file mode 100644 index 00000000000..381b5ccebd0 --- /dev/null +++ b/plugins/woocommerce/changelog/add-more-params-to-remote-logger-whitelist @@ -0,0 +1,4 @@ +Significance: minor +Type: update + +Added more paths to remote logger query param whitelist diff --git a/plugins/woocommerce/src/Internal/Logging/RemoteLogger.php b/plugins/woocommerce/src/Internal/Logging/RemoteLogger.php index 6daa928b46e..3043cd110fe 100644 --- a/plugins/woocommerce/src/Internal/Logging/RemoteLogger.php +++ b/plugins/woocommerce/src/Internal/Logging/RemoteLogger.php @@ -438,7 +438,18 @@ class RemoteLogger extends \WC_Log_Handler { * @return string The sanitized request URI. */ private function sanitize_request_uri( $request_uri ) { - $default_whitelist = array( 'path', 'page', 'step', 'task', 'tab' ); + $default_whitelist = array( + 'path', + 'page', + 'step', + 'task', + 'tab', + 'section', + 'status', + 'post_type', + 'taxonomy', + 'action', + ); /** * Filter to allow other plugins to whitelist request_uri query parameter values for unmasked remote logging.