Censor sensitive numbers #152

codebycaleb · 2019-05-01T12:57:16Z

Fixes two problems:

When creating the sensitive bank, we add entries for secrets,
their URI-encoded value, and their base64-encoded value. For
numeric secrets (e.g. a bank account id of 8675309), the line
where we base64-encoded the secret failed because Buffer.from
won't accept a numeric value.
When replacing values from the sensitive bank, only Strings
were considered. This still worked for replacing values inside
of a string (e.g. Your account number is :censored:) but not
as a standalone value in an object (e.g. {account: 314159}).

Testing

zapier init censortest --template=minimal
Add the following lines inside of the App definition in index.js:

  authentication: {
    type: 'session',
    fields: [
      {
        key: 'topping',
        type: 'string',
        label: 'Topping',
        helpText: 'What is your favorite pizza topping?',
        required: true,
      },
      {
        key: 'account',
        type: 'integer',
        required: false,
        computed: true,
      }
    ],
    test: (z, bundle) => z.request({
      url: 'http://httpbin.org/post',
      method: 'POST',
      headers: {'X-ID': 314159265},
      body: {id: 314159265},
    }).then(resp => resp.json.data),
    connectionLabel: '{{account}}',
    sessionConfig: {
      perform: (z, bundle) => ({account: 314159265})
    },
  },

zapier push
Create an auth
In GL, for the request logs for the POST to http://httpbin.org/post, you'll see multiple null references logged.
In your app's package.json, change the zapier-platform-core dependency to zapier/zapier-platform-core#fix-censor-numbers; npm i
Change the line in package.json back to 8.0.1
Run SKIP_NPM_INSTALL=1 zapier push
Press the "Test" button for your auth
In GL, the input data should now have the value :censored:9:9cb84e8ccc: properly censored everywhere.

Fixes two problems: 1. When creating the sensitive bank, we add entries for secrets, their URI-encoded value, and their base64-encoded value. For numeric secrets (e.g. a bank account id of 8675309), the line where we base64-encoded the secret failed because Buffer.from won't accept a numeric value. 2. When replacing values from the sensitive bank, only Strings were considered. This still worked for replacing values inside of a string (e.g. `Your account number is :censored:`) but not as a standalone value in an object (e.g. `{account: 314159}`).

codebycaleb · 2019-05-01T13:03:39Z

For reference, https://zapier-platform.slack.com/archives/C2S5DGF6G/p1556655567057200 was what caused this investigation. I wasn't ever able to reproduce the exact same error on Zapier (though to be honest, I never made a trigger or create to test with), but I did pseudo-recreate it via npm testing. If you run the committed test on the current version of core (8.0.1), you'll see the TypeError: "value" argument must not be a number error, which was actually the root cause of the original report.

xavdid

sweet, great catch. thanks a bunch!

codebycaleb requested a review from xavdid May 1, 2019 12:57

xavdid approved these changes May 2, 2019

View reviewed changes

codebycaleb merged commit 132ec04 into master May 3, 2019

codebycaleb deleted the fix-censor-numbers branch May 3, 2019 16:48

bcooksey mentioned this pull request May 30, 2019

All data in request body is getting converted to strings zapier/zapier-platform-cli#436

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Censor sensitive numbers #152

Censor sensitive numbers #152

codebycaleb commented May 1, 2019

codebycaleb commented May 1, 2019

xavdid left a comment

Censor sensitive numbers #152

Censor sensitive numbers #152

Conversation

codebycaleb commented May 1, 2019

Testing

codebycaleb commented May 1, 2019

xavdid left a comment

Choose a reason for hiding this comment