Fix RequestBuilder to send explicitly sensitive headers

Closes seanmonstar#1549
Nutomic · Nov 7, 2024 · 03ae28c · 03ae28c
1 parent a71f8fa
commit 03ae28c
Showing 1 changed file with 25 additions and 1 deletion.
diff --git a/src/async_impl/request.rs b/src/async_impl/request.rs
@@ -203,7 +203,12 @@ impl RequestBuilder {
             match <HeaderName as TryFrom<K>>::try_from(key) {
                 Ok(key) => match <HeaderValue as TryFrom<V>>::try_from(value) {
                     Ok(mut value) => {
-                        value.set_sensitive(sensitive);
+                        // We want to potentially make an unsensitive header
+                        // to be sensitive, not the reverse. So, don't turn off
+                        // a previously sensitive header.
+                        if sensitive {
+                            value.set_sensitive(true);
+                        }
                         req.headers_mut().append(key, value);
                     }
                     Err(e) => error = Some(crate::error::builder(e.into())),
@@ -840,6 +845,25 @@ mod tests {
         assert!(req.headers()["authorization"].is_sensitive());
     }
 
+    #[test]
+    fn test_explicit_sensitive_header() {
+        let client = Client::new();
+        let some_url = "https://localhost/";
+
+        let mut header = http::HeaderValue::from_static("in plain sight");
+        header.set_sensitive(true);
+
+        let req = client
+            .get(some_url)
+            .header("hiding", header)
+            .build()
+            .expect("request build");
+
+        assert_eq!(req.url().as_str(), "https://localhost/");
+        assert_eq!(req.headers()["hiding"], "in plain sight");
+        assert!(req.headers()["hiding"].is_sensitive());
+    }
+
     #[test]
     fn convert_from_http_request() {
         let http_request = HttpRequest::builder()