[Feature] Filtering fields in the debug bar

[DBX12]

As a developer I want to filter certain fields from the debug page to prevent leaking secrets. The debug page currently lists all and everything it can get, some fields should not be shown when in a shared development environment. I would make it configurable per panel and only filter the Request and User panel. What do you think about this? I would prepare a PR if it is interesting for the project.

[bizley]

Could you provide an example of the danger you would like to prevent with it?

[DBX12]

For example in the requests tab, the Authorization header could be censored as it contains credentials. That's no problem but bad when you have a shared debug stage. My idea would be configuring the request panel with an array of header names which should be censored.

edit: Removed noise added with "reply by mail"

[bizley]

I'm asking since the debug panel should not be enabled for users other than developer(s). This concept of "shared" debug stage sounds wrong.

[DBX12]

The shared debug environment is not uncommon in commercial settings I guess since you can run integration tests against other systems there or have your QA team work on it and report issues to the dev team. In our setting, it is a duplicate of the production system but with dummy data, YII_ENV set to dev and ip-locked to the office on the OS level. While not really a valid argument, I want to note that a common laravel debug page (whoops) has this capability too.

[bizley]

Ok, sounds legit then. LogTarget used in the debug panel can be configured since #469 and this allows us to use the features of https://github.com/yiisoft/yii2/blob/master/framework/log/Target.php with $maskVars and so on. Do you reckon this is enough to keep the data safe or something extra is necessary?

[DBX12]

I think using $maskVars won't work since the request panel is not using the log target, is it? I thought about not adding the values to $requestHeaders and $responseHeaders if the name is in the filter list. One example from RequestPanel.php:61

foreach ($headers as $name => $value) {
  if (in_array($name, $filterList) {
    continue;
  }
  if (is_array($value) && count($value) == 1) {
    $requestHeaders[$name] = current($value);
  } else {
    $requestHeaders[$name] = $value;
  }
}

Filtering the global vars GET and POST would be a bit more work, but still doable. For the UserPanel, I would need to look deeper into it (what exactly is shown, what would be sensible to make filterable).

[bizley]

It is but I'm not sure if this is enough.

[DBX12]

The detail view of the request panel is rendered with a view file and simple <?= tags so I doubt the logTarget does anything here.