Merge pull request from GHSA-3f65-m234-9mxr

Exclude access_token from error message
huandu · May 24, 2024 · 8b34431 · 8b34431
2 parents 1591be2 + 04fca0a
commit 8b34431
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 1 deletion.
diff --git a/session.go b/session.go
@@ -562,7 +562,22 @@ func (session *Session) sendRequest(request *http.Request) (response *http.Respo
 	}
 
 	if err != nil {
-		err = fmt.Errorf("facebook: cannot reach facebook server; %w", err)
+		originalErr := err
+		err = fmt.Errorf("facebook: cannot reach facebook server; %w", originalErr)
+		netUrlErr, ok := originalErr.(*url.Error)
+		// *url.Error can contain access_token in the URL, so we need to exclude it.
+		if !ok || netUrlErr.URL == "" {
+			return
+		}
+		q := request.URL.Query()
+		if !q.Has("access_token") {
+			return
+		}
+		q.Del("access_token")
+		url := *request.URL
+		url.RawQuery = q.Encode()
+		netUrlErr.URL = url.String()
+		err = fmt.Errorf("facebook: cannot reach facebook server; %w", netUrlErr)
 		return
 	}
 

diff --git a/session_test.go b/session_test.go
@@ -11,8 +11,10 @@ import (
 	"bytes"
 	"context"
 	"encoding/base64"
+	"errors"
 	"net/http"
 	"net/http/httptest"
+	"strings"
 	"testing"
 )
 
@@ -400,3 +402,28 @@ func TestSessionGetWithQueryString(t *testing.T) {
 
 	t.Logf("my extended info is: %v", result)
 }
+
+func TestSessionGetFailingWithoutExposingAccessToken(t *testing.T) {
+	var accessToken = "CAACZA38ZAD8CoBAe2bDC6EdThnni3b56scyshKINjZARoC9ZAuEUTgYUkYnKdimqfA2ZAXcd2wLd7Rr8jLmMXTY9vqAhQGqObZBIUz1WwbqVoCsB3AAvLtwoWNhsxM76mK0eiJSLXHZCdPVpyhmtojvzXA7f69Bm6b5WZBBXia8iOpPZAUHTGp1UQLFMt47c7RqJTrYIl3VfAR0deN82GMFL2"
+	session := &Session{}
+	session.SetAccessToken(accessToken)
+	session.HttpClient = &http.Client{
+		Transport: alwaysFailRoundTripper{},
+	}
+
+	_, err := session.Get("/me", nil)
+	if err == nil {
+		t.Fatalf("request should fail")
+	}
+	if strings.Contains(err.Error(), accessToken) {
+		t.Errorf("error message should not contain access token")
+	}
+}
+
+type alwaysFailRoundTripper struct{}
+
+var _ http.RoundTripper = alwaysFailRoundTripper{}
+
+func (a alwaysFailRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	return nil, errors.New("request failed since alwaysFailRoundTripper is used")
+}