Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace the call to re.findall with re.sub in _mask_credentials so matched values are not treated as regex patterns #413

Merged
merged 1 commit into from
Apr 7, 2020
Merged

Replace the call to re.findall with re.sub in _mask_credentials so matched values are not treated as regex patterns #413

merged 1 commit into from
Apr 7, 2020

Conversation

ThePumpingLemma
Copy link
Contributor

@ThePumpingLemma ThePumpingLemma commented Apr 7, 2020
edited
Loading

This fixes #410

This also fixes a DoS attack:

  • Form is submitted with multiple empty fields that match the mask filter
  • Substitution loop repeatedly calls re.sub with an empty pattern
  • Cleansed string is inserted between every pair of characters
  • Loop iterations causes exponential growth of body string, preventing the request from ever finishing

Replace the call to re.findall with re.sub in _mask_credentials so
72b80da 
matched values are not treated as regex patterns

This fixes jazzband#410
barm
barm reviewed Apr 7, 2020
View reviewed changes
Copy link

@barm barm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add some more test cases to handle all the nuance here?

barm
barm reviewed Apr 7, 2020
View reviewed changes
project/tests/test_sensitive_data_in_request.py
@@ -36,6 +36,9 @@ def test_mask_credentials_handles_prefixes(self):
def test_mask_credentials_handles_suffixes(self):
self.assertNotIn("secret", self._mask("username-with-suffix=secret"))

def test_mask_credentials_handles_regex_characters(self):
self.assertNotIn("secret", self._mask("password=secret++"))
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

nasirhjafri
nasirhjafri approved these changes Apr 7, 2020
View reviewed changes
Copy link
Member

@nasirhjafri nasirhjafri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @ThePumpingLemma LGTM 👍

@nasirhjafri nasirhjafri merged commit 186cfb3 into jazzband:master Apr 7, 2020
@ThePumpingLemma ThePumpingLemma deleted the say-no-to-regexes branch April 15, 2020 22:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@barm barm barm left review comments

@rossmechanic rossmechanic rossmechanic approved these changes

@nasirhjafri nasirhjafri nasirhjafri approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

_mask_credentials uses UGC in a regex substitution
4 participants
@ThePumpingLemma @barm @rossmechanic @nasirhjafri