@@ -195,20 +195,6 @@ pub struct Target {
195195}
196196
197197impl Target {
198- /// Evaluates an HTTP header name to determine if its value is likely a secret.
199- /// Uses a strict allowlist of known sensitive headers (Authorization, Cookies)
200- /// combined with a broad blocklist of dangerous substrings (token, secret, key)
201- /// to catch custom headers like `X-Api-Token`.
202- fn should_redact_header ( name : & str ) -> bool {
203- let lower = name. to_lowercase ( ) ;
204- matches ! (
205- lower. as_str( ) ,
206- "authorization" | "proxy-authorization" | "cookie" | "set-cookie"
207- ) || lower. contains ( "token" )
208- || lower. contains ( "secret" )
209- || lower. contains ( "key" )
210- || lower. contains ( "signature" )
211- }
212198 /// Sanitizes a URL by obliterating the trailing path segment.
213199 fn mask_url ( url : & Url ) -> String {
214200 let mut base = url. clone ( ) ;
@@ -237,13 +223,7 @@ impl Target {
237223 let safe_headers: HashMap < String , String > = other_web_hook
238224 . headers
239225 . into_iter ( )
240- . map ( |( k, v) | {
241- if Self :: should_redact_header ( & k) {
242- ( k, "********" . to_string ( ) )
243- } else {
244- ( k, v)
245- }
246- } )
226+ . map ( |( k, _v) | ( k, "********" . to_string ( ) ) )
247227 . collect ( ) ;
248228 json ! ( {
249229 "name" : self . name,
@@ -709,41 +689,4 @@ mod tests {
709689 "Expected redaction marker not found!"
710690 ) ;
711691 }
712-
713- #[ test]
714- fn test_masked_webhook_hides_auth_headers ( ) {
715- let mut headers = HashMap :: new ( ) ;
716- headers. insert ( "Authorization" . into ( ) , "Bearer super-secret-token" . into ( ) ) ;
717- headers. insert ( "Content-Type" . into ( ) , "application/json" . into ( ) ) ;
718-
719- let target = Target {
720- name : "slack-hook" . into ( ) ,
721- id : Ulid :: new ( ) ,
722- tenant : None ,
723- target : TargetType :: Other ( OtherWebHook {
724- endpoint : "https://hooks.slack.com/services/T00/B00/SECRET"
725- . parse ( )
726- . unwrap ( ) ,
727- headers,
728- skip_tls_check : false ,
729- } ) ,
730- } ;
731-
732- let masked = target. mask ( ) ;
733- let masked_str = serde_json:: to_string ( & masked) . unwrap ( ) ;
734-
735- assert ! (
736- !masked_str. contains( "super-secret-token" ) ,
737- "Bearer token leaked in masked response!"
738- ) ;
739- assert ! (
740- !masked_str. contains( "SECRET" ) ,
741- "Webhook URL secret leaked in masked response!"
742- ) ;
743- // Non-sensitive headers should survive
744- assert ! (
745- masked_str. contains( "application/json" ) ,
746- "Non-sensitive header was incorrectly redacted!"
747- ) ;
748- }
749692}
0 commit comments