Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

_mask_credentials uses UGC in a regex substitution #410

Closed
barm opened this issue Mar 31, 2020 · 0 comments · Fixed by #413
Closed

_mask_credentials uses UGC in a regex substitution #410

barm opened this issue Mar 31, 2020 · 0 comments · Fixed by #413

Comments

@barm
Copy link

barm commented Mar 31, 2020
edited
Loading

I recently ran into an issue when testing passwords with whitespace characters on an app with silk installed. I found that if I have multiple consecutive spaces in a password (which silk treats as a sensitive field and tries to mask), the regex substitution in _mask_credentials fails. This is because the user input is used as a pattern in a re.sub and so if the user uses certain characters, they are interpreted as a regex pattern. Space here in the raw_body is a literal +. This seems unsafe.

for res in results:
    body = re.sub(res[1], RequestModelFactory.CLEANSED_SUBSTITUTE, body)

From: https://github.com/jazzband/django-silk/blob/master/silk/model_factory.py#L131

Is there any reason we can't do a simple string replace instead?

for res in results:
    body = body.replace(res[1], RequestModelFactory.CLEANSED_SUBSTITUTE)
ThePumpingLemma pushed a commit to ThePumpingLemma/django-silk that referenced this issue Apr 7, 2020
Replace the call to re.findall with re.sub in _mask_credentials so
72b80da 
matched values are not treated as regex patterns

This fixes jazzband#410
@ThePumpingLemma ThePumpingLemma mentioned this issue Apr 7, 2020
Merged
nasirhjafri pushed a commit that referenced this issue Apr 7, 2020
@ThePumpingLemma
Replace the call to re.findall with re.sub in _mask_credentials so (#413
186cfb3 
)

matched values are not treated as regex patterns

This fixes #410
yaroslav0114 pushed a commit to yaroslav0114/django-silk that referenced this issue Dec 17, 2022
Replace the call to re.findall with re.sub in _mask_credentials so (#…
499cd9c 
…413)

matched values are not treated as regex patterns

This fixes jazzband/django-silk#410
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@barm