Files
2026-07-13 13:32:57 +08:00

45 lines
1.6 KiB
TypeScript

import { WORKER_HEADERS } from "@trigger.dev/core/v3/workers";
import { describe, expect, it } from "vitest";
import { sanitizeWorkerHeaders } from "../app/v3/services/worker/sanitizeWorkerHeaders.js";
// Runs before request headers are logged. The security property: secret-bearing
// managed-worker headers must never make it into the sanitized (loggable)
// object.
describe("sanitizeWorkerHeaders", () => {
const build = () =>
new Headers({
authorization: "Bearer tr_secret",
cookie: "__session=abc",
[WORKER_HEADERS.MANAGED_SECRET]: "cluster-shared-secret",
[WORKER_HEADERS.INSTANCE_NAME]: "supervisor-1",
"content-type": "application/json",
});
it("strips the managed worker secret (the leak this fixes)", () => {
const out = sanitizeWorkerHeaders(build());
expect(out[WORKER_HEADERS.MANAGED_SECRET]).toBeUndefined();
});
it("strips authorization and cookie", () => {
const out = sanitizeWorkerHeaders(build());
expect(out["authorization"]).toBeUndefined();
expect(out["cookie"]).toBeUndefined();
});
it("preserves non-sensitive headers", () => {
const out = sanitizeWorkerHeaders(build());
expect(out["content-type"]).toBe("application/json");
expect(out[WORKER_HEADERS.INSTANCE_NAME]).toBe("supervisor-1");
});
it("matches header names case-insensitively", () => {
const h = new Headers({
Authorization: "Bearer x",
"X-Trigger-Worker-Managed-Secret": "s",
});
const out = sanitizeWorkerHeaders(h);
// Headers lower-cases keys; both must be gone regardless of input casing.
expect(Object.keys(out)).toHaveLength(0);
});
});