Filtering is case sensitive which makes it insecure at filtering sensitive data

[nkavian]

Observation
I'm setting bugsnag.setFilters("Authorization"); so that I can filter out a sensitive header.
When using cURL -u username:password, I noticed the 'authorization' header was still present in the BugSnag dashboard. HTTP headers are case insensitive and a server has no control over how a client will case the header names. I could filter both but that would be plain silly bugsnag.setFilters("authorization", "Authorization").

Expected Result
Update the Java SDK at the mentioned line below to compare the strings in a case insensitive way.

Side note: This same line below has an undocumented and undesired behaviour since it's written as if(key.contains(filter)). If I filter on name, it will filter as well name1 and username. This is not desirable, especially since it's undocumented, but also because it forces developers to rename variables to avoid filter clashes..

Source of the Issue

bugsnag-java/bugsnag/src/main/java/com/bugsnag/util/FilteredMap.java

Line 116 in 5248de5

if (key.contains(filter)) {

[nkavian]

Just noticed #152 from back in January.

[johnkiely1]

Hi @nkavian.
Thanks for the report.
As you will have seen from #152 this is something we are aware of and have plans to update. As of now this would be expected to be addressed in the next major release of the bugsnag-java. As this is part of a much larger set of changes we don't have a definite timeframe for when this will be ready for release yet.
For now, although not ideal, I would suggest you work around it as best you can.

[wheleph]

Although I played around with com.bugsnag:bugsnag-spring:3.6.2 and not with pure bugsnag-java, the following discovery may become handy.

Apparently, before applying filters, Bugsnag converts HTTP headers to lowercase.

So the following filter setup works for me:

bugsnag.setFilters("authorization", "cookie");

Hope this helps.