Add changelog, mask proxy-authorization

CHANGELOG.md

@@ -9,6 +9,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Changed
 - Server errors are no longer serialized back to the client since this might leak sensitive
   information through the error message. ([#1126])
+- When `show`ing `HTTP.Request` and `HTTP.Response` the values for the headers
+  `Authorization`, `Proxy-Authorization`, `Cookie`, and `Set-Cookie` are masked with `*`s
+  since they might include sensitive information. ([#1127])
 ### Fixed
 - Restrict `HTTP.isredirect` to arguments of integer types. ([#1117])
 - Fix `HTTP.getcookies` error when key doesn't exist. ([#1119])

src/Messages.jl

@@ -612,10 +612,11 @@ function Base.show(io::IO, m::Message)
 
     # Mask the following (potentially) sensitive headers with "******":
     # - Authorization
+    # - Proxy-Authorization
     # - Cookie
     # - Set-Cookie
     header_str = sprint(writeheaders, m)
-    header_str = replace(header_str, r"(*CRLF)^((?>Authorization|Cookie|Set-Cookie): ).+$"mi => s"\1******")
+    header_str = replace(header_str, r"(*CRLF)^((?>(?>Proxy-)?Authorization|(?>Set-)?Cookie): ).+$"mi => s"\1******")
     write(io, header_str)
 
     summary = bodysummary(m.body)

test/messages.jl

@@ -199,7 +199,7 @@ using JSON
         @test repr(Request("GET", "/", ["Accept" => ""])) == "Request:\n\"\"\"\nGET / HTTP/1.1\r\n\r\n\"\"\""
 
         # Test that sensitive header values are masked when `show`ing HTTP.Request and HTTP.Response
-        for H in ["Authorization", "Cookie", "Set-Cookie"], h in (lowercase(H), H)
+        for H in ["Authorization", "Proxy-Authorization", "Cookie", "Set-Cookie"], h in (lowercase(H), H)
             req = HTTP.Request("GET", "https://xyz.com", [h => "secret", "User-Agent" => "HTTP.jl"])
             req_str = sprint(show, req)
             @test !occursin("secret", req_str)