jazzband · auvipy · May 8, 2019 · May 8, 2019
diff --git a/project/tests/test_sensitive_data_in_request.py b/project/tests/test_sensitive_data_in_request.py
@@ -43,3 +43,22 @@ def test_password_in_json(self):
         self.assertNotIn('test_username', body)
         self.assertNotIn('testpassword', body)
 
+    def test_password_in_batched_json(self):
+        mock_request = Mock()
+        mock_request.META = {DJANGO_META_CONTENT_TYPE: 'application/json; charset=UTF-8'}
+        d = [
+            {'x': 'testunmasked', 'username': 'test_username', 'password': 'testpassword'},
+            {'x': 'testunmasked', 'username': 'test_username', 'password': 'testpassword'}
+        ]
+        mock_request.body = json.dumps(d)
+        mock_request.get = mock_request.META.get
+        factory = RequestModelFactory(mock_request)
+        body, raw_body = factory.body()
+        self.assertIn('testunmasked', raw_body)
+        self.assertNotIn('test_username', raw_body)
+        self.assertNotIn('testpassword', raw_body)
+        self.assertNotIn('test_username', body[0])
+        self.assertNotIn('testpassword', body[0])
+        self.assertNotIn('test_username', body[1])
+        self.assertNotIn('testpassword', body[1])
+
diff --git a/silk/model_factory.py b/silk/model_factory.py
@@ -91,6 +91,16 @@ def _mask_credentials(self, body):
         """
         Mask credentials of potentially sensitive info before saving to db.
         """
+        CLEANSED_SUBSTITUTE = '********************'
+
+        def replace_pattern_values(obj):
+            pattern = re.compile(r'username|api|token|key|secret|password|signature', re.I)
+            for key in obj:
+                if pattern.search(key):
+                    obj[key] = CLEANSED_SUBSTITUTE
+
+            return obj
+
         try:
             json_body = json.loads(body)
         except Exception as e:
@@ -101,14 +111,15 @@ def _mask_credentials(self, body):
                 Logger.debug('{}'.format(str(e)))
             else:
                 for res in results:
-                    body = re.sub(res[1], '********************', body)
+                    body = re.sub(res[1], CLEANSED_SUBSTITUTE, body)
         else:
-            pattern = re.compile(r'username|api|token|key|secret|password|signature', re.I)
-            CLEANSED_SUBSTITUTE = '********************'
-            for key in json_body:
-                if pattern.search(key):
-                    json_body[key] = CLEANSED_SUBSTITUTE
+            if isinstance(json_body, list):
+                for obj in json_body:
+                    obj = replace_pattern_values(obj)
+            else:
+                json_body = replace_pattern_values(json_body)
             body = json.dumps(json_body)
+
         return body
 
     def _body(self, raw_body, content_type):