Comments (5)
I'm not sure exactly where this should be changed. Probably in ClientResponseError or RequestInfo.
I also wonder if there shouldn't be a more generic way to mark things as sensitive (e.g. URLs could contain sensitive information). For example, Pydantic has SecretStr.
@webknjaz Any thoughts?
from aiohttp.
@Dreamsorcerer I also have a SecretStr in octomachinery (I think I borrowed it from environs).. It may make sense to have this in yarl even. We also don't know if the username portion is secret (some services use it for tokens). I know that some recommendations exist to have tokens in headers so that they don't hit the access logs, but that's an end-user thing.
The biggest problem is that we don't know upfront what the end-users treat as secret. Another thing to consider is that a lot of software still prints out secrets in verbose/debug modes.
@JPFrancoia I'd like to point out that the responsible way of raising any security-sensitive topics is outlined in the security policy, and it's not public: https://github.com/aio-libs/aiohttp/security/policy.
from aiohttp.
@webknjaz fair point, I wasn't sure if I was doing something wrong. I'll err on the side of caution and use the security-sensitive template next time, really sorry about that.
from aiohttp.
The biggest problem is that we don't know upfront what the end-users treat as secret
Exactly why I thought about a SecretStr, so the user can choose which things to hide from logs. For some users, some headers should not be logged, for others maybe the URL path or even domain should not be logged, etc.
I'd like to point out that the responsible way of raising any security-sensitive topics is outlined in the security policy, and it's not public: https://github.com/aio-libs/aiohttp/security/policy.
I think the wording of the title is bad. I read the issue, not as a security vulnerability in aiohttp, but as a feature request to allow users to improve security in their applications.
from aiohttp.
I amended the title. It's a bit tricky because the behaviour of aiohttp is surprising compared to other popular libs, which exclude the headers from their exceptions by default. There is nothing fundamentally wrong with how aiohttp works, but we need to make a conscious effort to prevent headers (and hence tokens) to leak. When debugging code using other libs, I had to voluntarily print the headers to see if the tokens (and other stuff) were correct. IMO the second situation is more fool proof.
from aiohttp.
Related Issues (20)
- llhttp should be a separate, optional package HOT 2
- Error message not always propagated on 3.9.4 HOT 2
- ValueError: I/O operation on closed file on WSL HOT 2
- Broken HTTP request parsing: Upgrade: h2c header leads to discarded body HOT 7
- aiohttp does not support concurrent requests exceeding 500.
- Termux aiohttp could not build wheels for aiohttp HOT 5
- aiohttp cannot make HTTPS (SSL) requests in a Windows container HOT 9
- DNS over HTTPS (DoH) HOT 1
- Unmonitored websocket task triggers false errors in logs HOT 1
- Documentation not working HOT 1
- https://docs.aiohttp.org/ has been defaced/squatted HOT 1
- aiohttp.org site is down HOT 1
- Server; POST-request; BadStatusLine: 400; an endless stream of exception messages that have no impact on operation.
- Broken timeout system with ws_connect HOT 1
- graceful shutdown order and cleanup contexts HOT 7
- ValueError: I/O operation on closed file in aiohttp payload size property on file uploading using form HOT 1
- Allow reading already retrieved response body after connection is closed
- Support for sending Trailer headers HOT 2
- Separate exception for DNS errors
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aiohttp.