diff --git a/backend/views/api-log/view.php b/backend/views/api-log/view.php index d70fb660a..c24d0ecd9 100644 --- a/backend/views/api-log/view.php +++ b/backend/views/api-log/view.php @@ -10,6 +10,19 @@ $this->params['breadcrumbs'][] = ['label' => Yii::t('app', 'Api Logs'), 'url' => ['index']]; $this->params['breadcrumbs'][] = $this->title; \yii\web\YiiAsset::register($this); + +$redactApiLogValue = function ($value) { + if ($value === null || $value === '') { + return $value; + } + + $redacted = (string)$value; + $redacted = preg_replace('/\b(Authorization|Proxy-Authorization)\s*[:=]\s*(?:Bearer|Basic)?\s*[^\r\n,;]+/i', '$1: ***REDACTED***', $redacted); + $redacted = preg_replace('/\b(Bearer|Basic)\s+[A-Za-z0-9._~+\/=-]+/i', '$1 ***REDACTED***', $redacted); + $redacted = preg_replace('/([\'"]?(?:api[_-]?key|secret|token|access[_-]?token|refresh[_-]?token|password|client[_-]?secret)[\'"]?\s*[:=]\s*[\'"]?)[^\'",\r\n&]+/i', '$1***REDACTED***', $redacted); + + return $redacted; +}; ?>
@@ -33,10 +46,34 @@ 'restaurant_uuid', 'method', 'endpoint', - 'request_headers:ntext', - 'request_body:ntext', - 'response_headers:ntext', - 'response_body:ntext', + [ + 'attribute' => 'request_headers', + 'format' => 'ntext', + 'value' => function ($model) use ($redactApiLogValue) { + return $redactApiLogValue($model->request_headers); + }, + ], + [ + 'attribute' => 'request_body', + 'format' => 'ntext', + 'value' => function ($model) use ($redactApiLogValue) { + return $redactApiLogValue($model->request_body); + }, + ], + [ + 'attribute' => 'response_headers', + 'format' => 'ntext', + 'value' => function ($model) use ($redactApiLogValue) { + return $redactApiLogValue($model->response_headers); + }, + ], + [ + 'attribute' => 'response_body', + 'format' => 'ntext', + 'value' => function ($model) use ($redactApiLogValue) { + return $redactApiLogValue($model->response_body); + }, + ], 'created_at', ], ]) ?> diff --git a/tests/check-api-log-view-redaction.sh b/tests/check-api-log-view-redaction.sh new file mode 100644 index 000000000..54bebd351 --- /dev/null +++ b/tests/check-api-log-view-redaction.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash +set -euo pipefail + +target="backend/views/api-log/view.php" + +for direct in \ + "request_headers:ntext" \ + "request_body:ntext" \ + "response_headers:ntext" \ + "response_body:ntext" +do + if grep -q "$direct" "$target"; then + echo "api log view still renders $direct directly" >&2 + exit 1 + fi +done + +grep -q "redactApiLogValue" "$target" +grep -q "Authorization" "$target" +grep -q "Bearer" "$target" +grep -q "Basic" "$target" +grep -q "api\\[_-\\]?key" "$target" +grep -q "secret" "$target" +grep -q "token" "$target" +grep -q "\\*\\*\\*REDACTED\\*\\*\\*" "$target" + +echo "API log view redaction guard passed."