Comments (5)
I'm not sure exactly where this should be changed. Probably in ClientResponseError or RequestInfo.
I also wonder if there shouldn't be a more generic way to mark things as sensitive (e.g. URLs could contain sensitive information). For example, Pydantic has SecretStr.
@webknjaz Any thoughts?
from aiohttp.
@Dreamsorcerer I also have a SecretStr in octomachinery (I think I borrowed it from environs).. It may make sense to have this in yarl even. We also don't know if the username portion is secret (some services use it for tokens). I know that some recommendations exist to have tokens in headers so that they don't hit the access logs, but that's an end-user thing.
The biggest problem is that we don't know upfront what the end-users treat as secret. Another thing to consider is that a lot of software still prints out secrets in verbose/debug modes.
@JPFrancoia I'd like to point out that the responsible way of raising any security-sensitive topics is outlined in the security policy, and it's not public: https://github.com/aio-libs/aiohttp/security/policy.
from aiohttp.
@webknjaz fair point, I wasn't sure if I was doing something wrong. I'll err on the side of caution and use the security-sensitive template next time, really sorry about that.
from aiohttp.
The biggest problem is that we don't know upfront what the end-users treat as secret
Exactly why I thought about a SecretStr, so the user can choose which things to hide from logs. For some users, some headers should not be logged, for others maybe the URL path or even domain should not be logged, etc.
I'd like to point out that the responsible way of raising any security-sensitive topics is outlined in the security policy, and it's not public: https://github.com/aio-libs/aiohttp/security/policy.
I think the wording of the title is bad. I read the issue, not as a security vulnerability in aiohttp, but as a feature request to allow users to improve security in their applications.
from aiohttp.
I amended the title. It's a bit tricky because the behaviour of aiohttp is surprising compared to other popular libs, which exclude the headers from their exceptions by default. There is nothing fundamentally wrong with how aiohttp works, but we need to make a conscious effort to prevent headers (and hence tokens) to leak. When debugging code using other libs, I had to voluntarily print the headers to see if the tokens (and other stuff) were correct. IMO the second situation is more fool proof.
from aiohttp.
Related Issues (20)
- Request Pynacl Encryption Middleware HOT 13
- ASGI support HOT 4
- tests/test_pytest_plugin.py::test_aiohttp_plugin fails on Alpine Linux (python 3.11 and python 3.12) HOT 12
- ERROR: aiohttp has an invalid wheel, .dist-info directory 'yarl-1.9.4.dist-info' does not start with 'aiohttp' HOT 2
- Pass max_length parameter to ZLibDecompressor HOT 5
- "Unclosed client session" when initialization fails HOT 2
- Expired cookies not listed in the response cookies HOT 2
- Reserve generic property on app to store app state in a typed fashion HOT 1
- Please update llhttp to 9.2.1 HOT 7
- Using MultipartWriter.append_json breaks in 3.9.4 with AssertionError "assert CONTENT_DISPOSITION in payload.headers" HOT 8
- Exception occurred while requesting https URL using proxy aiohttp.client_exceptions.ClientConnectorError: Cannot connect to host HOT 3
- Documentation mentions async_timeout as dependency HOT 2
- TimeoutError instead of 403 "Forbidden" in case of not corresponding content length HOT 4
- CONTRIB: easily-integrated minimal http server example HOT 1
- aiohttp ^C hangs when psycopg connection pool created HOT 1
- llhttp should be a separate, optional package HOT 2
- Error message not always propagated on 3.9.4 HOT 2
- ValueError: I/O operation on closed file on WSL HOT 2
- Broken HTTP request parsing: Upgrade: h2c header leads to discarded body HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aiohttp.