fix: Sanitize the Hyper Request included in the SDK response

elpete · web-flow · commit dd2dbce509d3 · 2026-05-06T10:17:07.000-06:00
diff --git a/models/Subscriptions.cfc b/models/Subscriptions.cfc
@@ -240,7 +240,20 @@ component singleton accessors="true" {
 
     private struct function buildResponseResult( required string subscriberEmail, required any response ) {
         var memento = arguments.response.getMemento();
-        memento[ "request" ] = arguments.response.getRequest().getMemento();
+        memento[ "request" ] = arguments.response
+            .getRequest()
+            .getMemento(
+                excludes = [
+                    "authType",
+                    "clientCert",
+                    "clientCertPassword",
+                    "domain",
+                    "headers",
+                    "password",
+                    "username",
+                    "workstation"
+                ]
+            );
         return {
             "subscriber": arguments.subscriberEmail,
             "success": arguments.response.isSuccess(),
diff --git a/tests/specs/unit/SubscriptionsSpec.cfc b/tests/specs/unit/SubscriptionsSpec.cfc
@@ -318,6 +318,35 @@ component extends="tests.resources.ModuleIntegrationSpec" appMapping="/app" {
                 expect( result.results[ 1 ].statusCode ).toBe( 429 );
             } );
 
+            it( "sanitizes request credentials from operation result response mementos", function() {
+                var credentialedHyper = new Hyper.models.HyperBuilder(
+                    defaults = new Hyper.models.HyperRequest()
+                        .setUsername( "secret-api-key" )
+                        .setPassword( "secret-password" )
+                ).fake( {
+                        "*/v2/contacts": function( newFakeResponse, req ) {
+                            return newFakeResponse( 429, "Too Many Requests", "{}" );
+                        }
+                    } )
+                    .preventStrayRequests();
+
+                variables.client.setHyperClient( credentialedHyper );
+
+                var result = variables.client.create( listKey = "myList", subscribers = [ "person@example.com" ] );
+                var requestMemento = result.results[ 1 ].response.request;
+
+                expect( requestMemento.method ).toBe( "POST" );
+                expect( requestMemento.url ).toBe( "/v2/contacts" );
+                expect( requestMemento ).notToHaveKey( "authType" );
+                expect( requestMemento ).notToHaveKey( "clientCert" );
+                expect( requestMemento ).notToHaveKey( "clientCertPassword" );
+                expect( requestMemento ).notToHaveKey( "domain" );
+                expect( requestMemento ).notToHaveKey( "headers" );
+                expect( requestMemento ).notToHaveKey( "password" );
+                expect( requestMemento ).notToHaveKey( "username" );
+                expect( requestMemento ).notToHaveKey( "workstation" );
+            } );
+
             it( "marks cancel results as failed when Cordial returns non-2xx", function() {
                 variables.hyper
                     .fake( {
