-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
traceback_with_variables is not safe for production use due to password leaking, yet the documentation states "keep for production use" #26
Comments
Hi Mike, sorry for the inconvenience and thanks for sparing time to address this issue here! Yeah, let's fix that. At the moment I've got:
The trouble is that the basic usage can't rely on advanced users' actions :/ So my plan A is to
|
Hi Andy - thanks for your reply! A note in the docs about passwords / production is all I am asking for, since when I scanned I didn't see anything mentioning it. That would be great, thanks very much!
|
|
No, it's not in the default filters, I decided it's way too various how one can call the password. But maybe ['pwd', 'password'] would do. At the moment its done like
|
Could you give an example roughly what variables need hiding pls? |
Hi -
I am receiving CVE reports that my library (SQLAlchemy) is dumping passwords into log files. it of course is not, they are using this package in production to dump all private variables into their logs. I don't see any mechanism by which traceback_with_variables could recognize password strings that are necessarily present as cleartext within third party libraries.
I would propose that traceback_with_variables' documentation be amended to note that this tool is not safe for production use in any scenario where there are passwords or other secrets present at runtime. That way I can point people to this documentation when my package (or any of thousands of other packages that receive a password and/or secret within a private variable) is claimed to have CVEs in it.
Demo:
output:
The text was updated successfully, but these errors were encountered: