Merge pull request #46 from securenative/dev

Remove pii data

Author: inbaltako

.github/workflows/publish.yml

@@ -24,10 +24,12 @@ jobs:
       uses: actions/setup-python@v2
       with:
         python-version: '3.6'
+
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
         pip install setuptools wheel twine
+
     - name: Build and publish
       env:
         TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}

README.md

@@ -193,4 +193,29 @@ from securenative.config.securenative_options import SecureNativeOptions
 
 options = SecureNativeOptions(api_key="YOUR_API_KEY", max_events=10, log_level="ERROR", proxy_headers=['CF-Connecting-IP'])
 securenative = SecureNative.init_with_options(options)
+```
+
+
+## Remove PII Data From Headers
+
+By default, SecureNative SDK remove any known pii headers from the received request.
+We also support using custom pii headers and regex matching via configuration, for example:
+
+### Option 1: Using config file
+```ini
+SECURENATIVE_API_KEY: "YOUR_API_KEY"
+SECURENATIVE_PII_HEADERS: ["apiKey"]
+```
+
+Initialize sdk as shown above.
+
+### Options 2: Using ConfigurationBuilder
+
+```python
+from securenative.securenative import SecureNative
+from securenative.config.securenative_options import SecureNativeOptions
+
+
+options = SecureNativeOptions(api_key="YOUR_API_KEY", max_events=10, log_level="ERROR", pii_regex_pattern='((?i)(http_auth_)(\w+)?)')
+securenative = SecureNative.init_with_options(options)
 ```

VERSION

@@ -1 +1 @@
-0.3.3
+0.3.6

securenative/config/configuration_manager.py

@@ -69,4 +69,9 @@ def load_config(cls, resource_path):
                                                                               "SECURENATIVE_FAILOVER_STRATEGY",
                                                                               options.fail_over_strategy),
                                    proxy_headers=cls._get_env_or_default(properties, "SECURENATIVE_PROXY_HEADERS",
-                                                                         options.proxy_headers))
+                                                                         options.proxy_headers),
+                                   pii_headers=cls._get_env_or_default(properties, "SECURENATIVE_PII_HEADERS",
+                                                                       options.pii_headers),
+                                   pii_regex_pattern=cls._get_env_or_default(properties,
+                                                                             "SECURENATIVE_PII_REGEX_PATTERN",
+                                                                             options.pii_regex_pattern))

securenative/config/securenative_options.py

@@ -5,7 +5,8 @@ class SecureNativeOptions(object):
 
     def __init__(self, api_key=None, api_url="https://api.securenative.com/collector/api/v1", interval=1000,
                  max_events=1000, timeout=1500, auto_send=True, disable=False, log_level="CRITICAL",
-                 fail_over_strategy=FailOverStrategy.FAIL_OPEN.value, proxy_headers=None):
+                 fail_over_strategy=FailOverStrategy.FAIL_OPEN.value, proxy_headers=None,
+                 pii_headers=None, pii_regex_pattern=None):
 
         if proxy_headers is None:
             proxy_headers = []
@@ -24,3 +25,5 @@ def __init__(self, api_key=None, api_url="https://api.securenative.com/collector
         self.disable = disable
         self.log_level = log_level
         self.proxy_headers = proxy_headers
+        self.pii_headers = pii_headers
+        self.pii_regex_pattern = pii_regex_pattern

securenative/context/securenative_context.py

@@ -21,7 +21,7 @@ def from_http_request(request, options):
             client_token = None
 
         try:
-            headers = dict(request.headers)
+            headers = RequestUtils.get_headers_from_request(request.headers, options)
         except Exception:
             headers = None
 

securenative/utils/request_utils.py

@@ -1,10 +1,13 @@
+import re
+
 from securenative.utils.ip_utils import IpUtils
 
 
 class RequestUtils(object):
     SECURENATIVE_COOKIE = "_sn"
     SECURENATIVE_HEADER = "x-securenative"
     IP_HEADERS = ["HTTP_X_FORWARDED_FOR", "X_FORWARDED_FOR", "REMOTE_ADDR", "x-forwarded-for", "x-client-ip", "x-real-ip", "x-forwarded", "x-cluster-client-ip", "forwarded-for", "forwarded", "via"]
+    PII_HEADERS = ['authorization', 'access_token', 'apikey', 'password',  'passwd', 'secret', 'api_key']
 
     @staticmethod
     def get_secure_header_from_request(headers):
@@ -15,7 +18,7 @@ def get_secure_header_from_request(headers):
 
     @staticmethod
     def get_client_ip_from_request(request, options):
-        if options and len(options.proxy_headers) > 0:
+        if options and options.proxy_headers and len(options.proxy_headers) > 0:
             for header in options.proxy_headers:
                 try:
                     if request.environ.get(header) is not None:
@@ -76,3 +79,21 @@ def get_valid_ip(ips):
 
         if IpUtils.is_loop_back(ip):
             return ip
+
+    @staticmethod
+    def get_headers_from_request(headers, options=None):
+        h = {}
+        if options and options.pii_headers and len(options.pii_headers) > 0:
+            for header in headers:
+                if header not in options.pii_headers and header.upper() not in options.pii_headers:
+                    h[header] = headers[header]
+        elif options and options.pii_regex_pattern:
+            for header in headers:
+                if not re.search(options.pii_regex_pattern, header):
+                    h[header] = headers[header]
+        else:
+            for header in headers:
+                if header not in RequestUtils.PII_HEADERS and header.upper() not in RequestUtils.PII_HEADERS:
+                    h[header] = headers[header]
+
+        return h

securenative/utils/version_utils.py

@@ -2,4 +2,4 @@ class VersionUtils(object):
 
     @staticmethod
     def get_version():
-        return "0.3.3"
+        return "0.3.6"

tests/configuration_manager_test.py

@@ -63,7 +63,9 @@ def test_parse_config_file_correctly(self):
             "SECURENATIVE_DISABLE": "False",
             "SECURENATIVE_LOG_LEVEL": "Critical",
             "SECURENATIVE_FAILOVER_STRATEGY": "fail-closed",
-            "SECURENATIVE_PROXY_HEADERS": "CF-Connecting-IP,Some-Random-Ip"
+            "SECURENATIVE_PROXY_HEADERS": "CF-Connecting-IP,Some-Random-Ip",
+            "SECURENATIVE_PII_HEADERS": "authentication,api_key",
+            "SECURENATIVE_PII_REGEX_PATTERN": "/auth/i"
         }
 
         self.create_ini_file(config)
@@ -79,7 +81,9 @@ def test_parse_config_file_correctly(self):
         self.assertEqual(options.log_level, "Critical")
         self.assertEqual(options.max_events, "100")
         self.assertEqual(options.timeout, "1500")
+        self.assertEqual(options.pii_regex_pattern, "/auth/i")
         self.assertEqual(options.proxy_headers, ["CF-Connecting-IP", "Some-Random-Ip"])
+        self.assertEqual(options.pii_headers, ["authentication", "api_key"])
 
     @unittest.skipIf(platform.system() == "Windows" or platform.system() == "windows", "test not supported on windows")
     def test_ignore_unknown_config_in_properties_file(self):

tests/request_utils_test.py

@@ -308,3 +308,111 @@ def test_extraction_priority_without_x_forwarded_for(self):
         client_ip = RequestUtils.get_client_ip_from_request(request, options)
 
         self.assertEqual("203.0.113.1", client_ip)
+
+    def test_strip_down_pii_data_from_headers(self):
+        headers = {
+            'Host': 'net.example.com',
+            'User-Agent': 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)',
+            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+            'Accept-Language': 'en-us,en;q=0.5',
+            'Accept-Encoding': 'gzip,deflate',
+            'Accept-Charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
+            'Keep-Alive': '300',
+            'Connection': 'keep-alive',
+            'Cookie': 'PHPSESSID=r2t5uvjq435r4q7ib3vtdjq120',
+            'Pragma': 'no-cache',
+            'Cache-Control': 'no-cache',
+            'authorization': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'access_token': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'apikey': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'password': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'passwd': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'secret': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'api_key': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z'
+        }
+
+        with requests_mock.Mocker(real_http=True) as request:
+            request.headers = headers
+
+        h = RequestUtils.get_headers_from_request(request.headers)
+
+        self.assertEqual(h.get('authorization'), None)
+        self.assertEqual(h.get('access_token'), None)
+        self.assertEqual(h.get('apikey'), None)
+        self.assertEqual(h.get('password'), None)
+        self.assertEqual(h.get('passwd'), None)
+        self.assertEqual(h.get('secret'), None)
+        self.assertEqual(h.get('api_key'), None)
+
+    def test_strip_down_pii_data_from_custom_headers(self):
+        headers = {
+            'Host': 'net.example.com',
+            'User-Agent': 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)',
+            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+            'Accept-Language': 'en-us,en;q=0.5',
+            'Accept-Encoding': 'gzip,deflate',
+            'Accept-Charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
+            'Keep-Alive': '300',
+            'Connection': 'keep-alive',
+            'Cookie': 'PHPSESSID=r2t5uvjq435r4q7ib3vtdjq120',
+            'Pragma': 'no-cache',
+            'Cache-Control': 'no-cache',
+            'authorization': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'access_token': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'apikey': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'password': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'passwd': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'secret': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'api_key': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z'
+        }
+
+        with requests_mock.Mocker(real_http=True) as request:
+            request.headers = headers
+
+        options = SecureNativeOptions(pii_headers=['authorization', 'access_token', 'apikey', 'password',
+                                                   'passwd', 'secret', 'api_key'])
+        h = RequestUtils.get_headers_from_request(request.headers, options)
+
+        self.assertEqual(h.get('authorization'), None)
+        self.assertEqual(h.get('access_token'), None)
+        self.assertEqual(h.get('apikey'), None)
+        self.assertEqual(h.get('password'), None)
+        self.assertEqual(h.get('passwd'), None)
+        self.assertEqual(h.get('secret'), None)
+        self.assertEqual(h.get('api_key'), None)
+
+    def test_strip_down_pii_data_from_regex_pattern(self):
+        headers = {
+            'Host': 'net.example.com',
+            'User-Agent': 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)',
+            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+            'Accept-Language': 'en-us,en;q=0.5',
+            'Accept-Encoding': 'gzip,deflate',
+            'Accept-Charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
+            'Keep-Alive': '300',
+            'Connection': 'keep-alive',
+            'Cookie': 'PHPSESSID=r2t5uvjq435r4q7ib3vtdjq120',
+            'Pragma': 'no-cache',
+            'Cache-Control': 'no-cache',
+            'http_auth_authorization': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'http_auth_access_token': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'http_auth_apikey': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'http_auth_password': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'http_auth_passwd': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'http_auth_secret': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z',
+            'http_auth_api_key': 'ylSkZIjbdWybfs4fUQe9BqP0LH5Z'
+        }
+
+        with requests_mock.Mocker(real_http=True) as request:
+            request.headers = headers
+
+        options = SecureNativeOptions(pii_regex_pattern='((?i)(http_auth_)(\w+)?)')
+        h = RequestUtils.get_headers_from_request(request.headers, options)
+
+        self.assertEqual(h.get('http_auth_authorization'), None)
+        self.assertEqual(h.get('http_auth_access_token'), None)
+        self.assertEqual(h.get('http_auth_apikey'), None)
+        self.assertEqual(h.get('http_auth_password'), None)
+        self.assertEqual(h.get('http_auth_passwd'), None)
+        self.assertEqual(h.get('http_auth_secret'), None)
+        self.assertEqual(h.get('http_auth_api_key'), None)