Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorization leak through headers #1776

Closed
bjorn-lw opened this issue Mar 25, 2021 · 4 comments · Fixed by #1779
Closed

Authorization leak through headers #1776

bjorn-lw opened this issue Mar 25, 2021 · 4 comments · Fixed by #1779
Assignees
@SyntaxNode
Labels
bug

Comments

@bjorn-lw
Copy link
Contributor

bjorn-lw commented Mar 25, 2021
edited by bretg
Loading

If "test" is specified in the call to PBS, the debug info coming back contains all headers sent to the endpoints.

e.g. There can be a basic authentication key exposed. Even though it's not the actual user/password it feels like not something that should be publicly exposed.
@bjorn-lw bjorn-lw changed the title Authentication leak through headers Authorization leak through headers Mar 25, 2021
@bretg bretg added the bug label Mar 25, 2021
@bretg
Copy link
Contributor

bretg commented Mar 25, 2021

Thanks for the bug report @bjorn-lw

@SyntaxNode
Copy link
Contributor

SyntaxNode commented Mar 25, 2021
edited by bretg
Loading

Good catch. We missed that some adapters use the authorization header.

Are you ok with us keeping the header debugging feature and replacing the content of the auth header with a literal <HIDDEN BY PREBID SERVER> value?

@bjorn-lw
Copy link
Contributor Author

I think the feature is awesome otherwise and masking would be good enough.

@SyntaxNode
Copy link
Contributor

SyntaxNode commented Mar 25, 2021
edited by bretg
Loading

The adapter in question prefers for the header to be removed entirely, rather than masked.

@SyntaxNode SyntaxNode mentioned this issue Mar 25, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@SyntaxNode SyntaxNode

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove Authorization Headers From Debug Response SyntaxNode/prebid-server
3 participants
@SyntaxNode @bretg @bjorn-lw