Merge pull request #40 from viraptor/metadata

jacobbednarz · web-flow · commit e3f9bdab26e0 · 2020-05-04T07:21:10.000+10:00
Support injecting metadata as new field
diff --git a/README.md b/README.md
@@ -44,6 +44,15 @@ $ CGO_ENABLED=0 go build csp_collector.go
 
 See the sample.filterlist.txt file as an example of the filter list in a file
 
+### Request metadata
+
+Additional information can be attached to each report by adding a `metadata`
+url parameter to each report. That value will be copied verbatim into the
+logged report.
+
+For example a report sent to `https://collector.example.com/?metadata=foobar`
+will include field `metadata` with value `foobar`.
+
 ### Output formats
 
 The output format can be controlled by passing `--output-format <type>`
diff --git a/csp_collector.go b/csp_collector.go
@@ -191,6 +191,12 @@ func handleViolationReport(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	metadatas, gotMetadata := r.URL.Query()["metadata"]
+	var metadata string
+	if gotMetadata {
+		metadata = metadatas[0]
+	}
+
 	log.WithFields(log.Fields{
 		"document_uri":        report.Body.DocumentURI,
 		"referrer":            report.Body.Referrer,
@@ -201,6 +207,7 @@ func handleViolationReport(w http.ResponseWriter, r *http.Request) {
 		"disposition":         report.Body.Disposition,
 		"script_sample":       report.Body.ScriptSample,
 		"status_code":         report.Body.StatusCode,
+		"metadata":            metadata,
 	}).Info()
 }
 
diff --git a/csp_collector_test.go b/csp_collector_test.go
@@ -55,6 +55,50 @@ func TestHandlerForAllowingHealthcheck(t *testing.T) {
 	}
 }
 
+func TestHandlerWithMetadata(t *testing.T) {
+	csp := CSPReport{
+		CSPReportBody{
+			DocumentURI: "http://example.com",
+			BlockedURI:  "http://example.com",
+		},
+	}
+
+	payload, _ := json.Marshal(csp)
+
+	for _, repeats := range []int{1, 2} {
+		var logBuffer bytes.Buffer
+		log.SetOutput(&logBuffer)
+
+		url := "/?"
+		for i := 0; i < repeats; i++ {
+			url += fmt.Sprintf("metadata=value%d&", i)
+		}
+
+		request, err := http.NewRequest("POST", url, bytes.NewBuffer(payload))
+		if err != nil {
+			t.Fatalf("failed to create request: %v", err)
+		}
+		recorder := httptest.NewRecorder()
+
+		handleViolationReport(recorder, request)
+
+		response := recorder.Result()
+		defer response.Body.Close()
+
+		if response.StatusCode != http.StatusOK {
+			t.Errorf("expected HTTP status %v; got %v", http.StatusOK, response.StatusCode)
+		}
+
+		log := logBuffer.String()
+		if !strings.Contains(log, "metadata=value0") {
+			t.Fatalf("Logged result should contain metadata value0 in '%s'", log)
+		}
+		if strings.Contains(log, "metadata=value1") {
+			t.Fatalf("Logged result shouldn't contain metadata value1 in '%s'", log)
+		}
+	}
+}
+
 func TestValidateViolationWithInvalidBlockedURIs(t *testing.T) {
 	invalidBlockedURIs := []string{
 		"resource://",
