Fixed #19453 -- Ensured that the decorated function's arguments are obfuscated in the @sensitive_variables decorator's frame, in case the variables associated with those arguments were meant to be obfuscated from the decorated function's frame.

Thanks to vzima for the report.
This commit is contained in:
Julien Phalip 2012-12-31 09:34:08 -08:00
parent acc5396e6d
commit 9180146d21
5 changed files with 137 additions and 28 deletions

View File

@ -172,13 +172,12 @@ class SafeExceptionReporterFilter(ExceptionReporterFilter):
break break
current_frame = current_frame.f_back current_frame = current_frame.f_back
cleansed = [] cleansed = {}
if self.is_active(request) and sensitive_variables: if self.is_active(request) and sensitive_variables:
if sensitive_variables == '__ALL__': if sensitive_variables == '__ALL__':
# Cleanse all variables # Cleanse all variables
for name, value in tb_frame.f_locals.items(): for name, value in tb_frame.f_locals.items():
cleansed.append((name, CLEANSED_SUBSTITUTE)) cleansed[name] = CLEANSED_SUBSTITUTE
return cleansed
else: else:
# Cleanse specified variables # Cleanse specified variables
for name, value in tb_frame.f_locals.items(): for name, value in tb_frame.f_locals.items():
@ -187,16 +186,25 @@ class SafeExceptionReporterFilter(ExceptionReporterFilter):
elif isinstance(value, HttpRequest): elif isinstance(value, HttpRequest):
# Cleanse the request's POST parameters. # Cleanse the request's POST parameters.
value = self.get_request_repr(value) value = self.get_request_repr(value)
cleansed.append((name, value)) cleansed[name] = value
return cleansed
else: else:
# Potentially cleanse only the request if it's one of the frame variables. # Potentially cleanse only the request if it's one of the frame variables.
for name, value in tb_frame.f_locals.items(): for name, value in tb_frame.f_locals.items():
if isinstance(value, HttpRequest): if isinstance(value, HttpRequest):
# Cleanse the request's POST parameters. # Cleanse the request's POST parameters.
value = self.get_request_repr(value) value = self.get_request_repr(value)
cleansed.append((name, value)) cleansed[name] = value
return cleansed
if (tb_frame.f_code.co_name == 'sensitive_variables_wrapper'
and 'sensitive_variables_wrapper' in tb_frame.f_locals):
# For good measure, obfuscate the decorated function's arguments in
# the sensitive_variables decorator's frame, in case the variables
# associated with those arguments were meant to be obfuscated from
# the decorated function's frame.
cleansed['func_args'] = CLEANSED_SUBSTITUTE
cleansed['func_kwargs'] = CLEANSED_SUBSTITUTE
return cleansed.items()
class ExceptionReporter(object): class ExceptionReporter(object):
""" """

View File

@ -26,12 +26,12 @@ def sensitive_variables(*variables):
""" """
def decorator(func): def decorator(func):
@functools.wraps(func) @functools.wraps(func)
def sensitive_variables_wrapper(*args, **kwargs): def sensitive_variables_wrapper(*func_args, **func_kwargs):
if variables: if variables:
sensitive_variables_wrapper.sensitive_variables = variables sensitive_variables_wrapper.sensitive_variables = variables
else: else:
sensitive_variables_wrapper.sensitive_variables = '__ALL__' sensitive_variables_wrapper.sensitive_variables = '__ALL__'
return func(*args, **kwargs) return func(*func_args, **func_kwargs)
return sensitive_variables_wrapper return sensitive_variables_wrapper
return decorator return decorator

View File

@ -153,6 +153,20 @@ production environment (that is, where :setting:`DEBUG` is set to ``False``):
def my_function(): def my_function():
... ...
.. admonition:: When using mutiple decorators
If the variable you want to hide is also a function argument (e.g.
'``user``' in the following example), and if the decorated function has
mutiple decorators, then make sure to place ``@sensible_variables`` at
the top of the decorator chain. This way it will also hide the function
argument as it gets passed through the other decorators::
@sensitive_variables('user', 'pw', 'cc')
@some_decorator
@another_decorator
def process_info(user):
...
.. function:: sensitive_post_parameters(*parameters) .. function:: sensitive_post_parameters(*parameters)
If one of your views receives an :class:`~django.http.HttpRequest` object If one of your views receives an :class:`~django.http.HttpRequest` object

View File

@ -7,7 +7,6 @@ import inspect
import os import os
import sys import sys
from django.conf import settings
from django.core import mail from django.core import mail
from django.core.files.uploadedfile import SimpleUploadedFile from django.core.files.uploadedfile import SimpleUploadedFile
from django.core.urlresolvers import reverse from django.core.urlresolvers import reverse
@ -19,7 +18,8 @@ from django.views.debug import ExceptionReporter
from .. import BrokenException, except_args from .. import BrokenException, except_args
from ..views import (sensitive_view, non_sensitive_view, paranoid_view, from ..views import (sensitive_view, non_sensitive_view, paranoid_view,
custom_exception_reporter_filter_view, sensitive_method_view) custom_exception_reporter_filter_view, sensitive_method_view,
sensitive_args_function_caller, sensitive_kwargs_function_caller)
@override_settings(DEBUG=True, TEMPLATE_DEBUG=True) @override_settings(DEBUG=True, TEMPLATE_DEBUG=True)
@ -306,17 +306,28 @@ class ExceptionReportTestMixin(object):
response = view(request) response = view(request)
self.assertEqual(len(mail.outbox), 1) self.assertEqual(len(mail.outbox), 1)
email = mail.outbox[0] email = mail.outbox[0]
# Frames vars are never shown in plain text email reports. # Frames vars are never shown in plain text email reports.
body = force_text(email.body) body_plain = force_text(email.body)
self.assertNotIn('cooked_eggs', body) self.assertNotIn('cooked_eggs', body_plain)
self.assertNotIn('scrambled', body) self.assertNotIn('scrambled', body_plain)
self.assertNotIn('sauce', body) self.assertNotIn('sauce', body_plain)
self.assertNotIn('worcestershire', body) self.assertNotIn('worcestershire', body_plain)
# Frames vars are shown in html email reports.
body_html = force_text(email.alternatives[0][0])
self.assertIn('cooked_eggs', body_html)
self.assertIn('scrambled', body_html)
self.assertIn('sauce', body_html)
self.assertIn('worcestershire', body_html)
if check_for_POST_params: if check_for_POST_params:
for k, v in self.breakfast_data.items(): for k, v in self.breakfast_data.items():
# All POST parameters are shown. # All POST parameters are shown.
self.assertIn(k, body) self.assertIn(k, body_plain)
self.assertIn(v, body) self.assertIn(v, body_plain)
self.assertIn(k, body_html)
self.assertIn(v, body_html)
def verify_safe_email(self, view, check_for_POST_params=True): def verify_safe_email(self, view, check_for_POST_params=True):
""" """
@ -328,22 +339,35 @@ class ExceptionReportTestMixin(object):
response = view(request) response = view(request)
self.assertEqual(len(mail.outbox), 1) self.assertEqual(len(mail.outbox), 1)
email = mail.outbox[0] email = mail.outbox[0]
# Frames vars are never shown in plain text email reports. # Frames vars are never shown in plain text email reports.
body = force_text(email.body) body_plain = force_text(email.body)
self.assertNotIn('cooked_eggs', body) self.assertNotIn('cooked_eggs', body_plain)
self.assertNotIn('scrambled', body) self.assertNotIn('scrambled', body_plain)
self.assertNotIn('sauce', body) self.assertNotIn('sauce', body_plain)
self.assertNotIn('worcestershire', body) self.assertNotIn('worcestershire', body_plain)
# Frames vars are shown in html email reports.
body_html = force_text(email.alternatives[0][0])
self.assertIn('cooked_eggs', body_html)
self.assertIn('scrambled', body_html)
self.assertIn('sauce', body_html)
self.assertNotIn('worcestershire', body_html)
if check_for_POST_params: if check_for_POST_params:
for k, v in self.breakfast_data.items(): for k, v in self.breakfast_data.items():
# All POST parameters' names are shown. # All POST parameters' names are shown.
self.assertIn(k, body) self.assertIn(k, body_plain)
# Non-sensitive POST parameters' values are shown. # Non-sensitive POST parameters' values are shown.
self.assertIn('baked-beans-value', body) self.assertIn('baked-beans-value', body_plain)
self.assertIn('hash-brown-value', body) self.assertIn('hash-brown-value', body_plain)
self.assertIn('baked-beans-value', body_html)
self.assertIn('hash-brown-value', body_html)
# Sensitive POST parameters' values are not shown. # Sensitive POST parameters' values are not shown.
self.assertNotIn('sausage-value', body) self.assertNotIn('sausage-value', body_plain)
self.assertNotIn('bacon-value', body) self.assertNotIn('bacon-value', body_plain)
self.assertNotIn('sausage-value', body_html)
self.assertNotIn('bacon-value', body_html)
def verify_paranoid_email(self, view): def verify_paranoid_email(self, view):
""" """
@ -445,6 +469,36 @@ class ExceptionReporterFilterTests(TestCase, ExceptionReportTestMixin):
self.verify_safe_email(sensitive_method_view, self.verify_safe_email(sensitive_method_view,
check_for_POST_params=False) check_for_POST_params=False)
def test_sensitive_function_arguments(self):
"""
Ensure that sensitive variables don't leak in the sensitive_variables
decorator's frame, when those variables are passed as arguments to the
decorated function.
Refs #19453.
"""
with self.settings(DEBUG=True):
self.verify_unsafe_response(sensitive_args_function_caller)
self.verify_unsafe_email(sensitive_args_function_caller)
with self.settings(DEBUG=False):
self.verify_safe_response(sensitive_args_function_caller, check_for_POST_params=False)
self.verify_safe_email(sensitive_args_function_caller, check_for_POST_params=False)
def test_sensitive_function_keyword_arguments(self):
"""
Ensure that sensitive variables don't leak in the sensitive_variables
decorator's frame, when those variables are passed as keyword arguments
to the decorated function.
Refs #19453.
"""
with self.settings(DEBUG=True):
self.verify_unsafe_response(sensitive_kwargs_function_caller)
self.verify_unsafe_email(sensitive_kwargs_function_caller)
with self.settings(DEBUG=False):
self.verify_safe_response(sensitive_kwargs_function_caller, check_for_POST_params=False)
self.verify_safe_email(sensitive_kwargs_function_caller, check_for_POST_params=False)
class AjaxResponseExceptionReporterFilter(TestCase, ExceptionReportTestMixin): class AjaxResponseExceptionReporterFilter(TestCase, ExceptionReportTestMixin):
""" """

View File

@ -132,6 +132,7 @@ def send_log(request, exc_info):
][0] ][0]
orig_filters = admin_email_handler.filters orig_filters = admin_email_handler.filters
admin_email_handler.filters = [] admin_email_handler.filters = []
admin_email_handler.include_html = True
logger.error('Internal Server Error: %s', request.path, logger.error('Internal Server Error: %s', request.path,
exc_info=exc_info, exc_info=exc_info,
extra={ extra={
@ -184,6 +185,38 @@ def paranoid_view(request):
send_log(request, exc_info) send_log(request, exc_info)
return technical_500_response(request, *exc_info) return technical_500_response(request, *exc_info)
def sensitive_args_function_caller(request):
try:
sensitive_args_function(''.join(['w', 'o', 'r', 'c', 'e', 's', 't', 'e', 'r', 's', 'h', 'i', 'r', 'e']))
except Exception:
exc_info = sys.exc_info()
send_log(request, exc_info)
return technical_500_response(request, *exc_info)
@sensitive_variables('sauce')
def sensitive_args_function(sauce):
# Do not just use plain strings for the variables' values in the code
# so that the tests don't return false positives when the function's source
# is displayed in the exception report.
cooked_eggs = ''.join(['s', 'c', 'r', 'a', 'm', 'b', 'l', 'e', 'd'])
raise Exception
def sensitive_kwargs_function_caller(request):
try:
sensitive_kwargs_function(''.join(['w', 'o', 'r', 'c', 'e', 's', 't', 'e', 'r', 's', 'h', 'i', 'r', 'e']))
except Exception:
exc_info = sys.exc_info()
send_log(request, exc_info)
return technical_500_response(request, *exc_info)
@sensitive_variables('sauce')
def sensitive_kwargs_function(sauce=None):
# Do not just use plain strings for the variables' values in the code
# so that the tests don't return false positives when the function's source
# is displayed in the exception report.
cooked_eggs = ''.join(['s', 'c', 'r', 'a', 'm', 'b', 'l', 'e', 'd'])
raise Exception
class UnsafeExceptionReporterFilter(SafeExceptionReporterFilter): class UnsafeExceptionReporterFilter(SafeExceptionReporterFilter):
""" """
Ignores all the filtering done by its parent class. Ignores all the filtering done by its parent class.