Security improvement: raise_for_status + ClientError prevent tokens from leaking #8402
Comments
JPFrancoia
changed the title
|
I'm not sure exactly where this should be changed. Probably in ClientResponseError or RequestInfo. I also wonder if there shouldn't be a more generic way to mark things as sensitive (e.g. URLs could contain sensitive information). For example, Pydantic has SecretStr. @webknjaz Any thoughts? |
|
@Dreamsorcerer I also have a SecretStr in octomachinery (I think I borrowed it from environs).. It may make sense to have this in yarl even. We also don't know if the username portion is secret (some services use it for tokens). I know that some recommendations exist to have tokens in headers so that they don't hit the access logs, but that's an end-user thing. @JPFrancoia I'd like to point out that the responsible way of raising any security-sensitive topics is outlined in the security policy, and it's not public: https://github.com/aio-libs/aiohttp/security/policy. |
|
@webknjaz fair point, I wasn't sure if I was doing something wrong. I'll err on the side of caution and use the security-sensitive template next time, really sorry about that. |
Exactly why I thought about a SecretStr, so the user can choose which things to hide from logs. For some users, some headers should not be logged, for others maybe the URL path or even domain should not be logged, etc.
I think the wording of the title is bad. I read the issue, not as a security vulnerability in aiohttp, but as a feature request to allow users to improve security in their applications. |
JPFrancoia
changed the title
|
I amended the title. It's a bit tricky because the behaviour of aiohttp is surprising compared to other popular libs, which exclude the headers from their exceptions by default. There is nothing fundamentally wrong with how aiohttp works, but we need to make a conscious effort to prevent headers (and hence tokens) to leak. When debugging code using other libs, I had to voluntarily print the headers to see if the tokens (and other stuff) were correct. IMO the second situation is more fool proof. |
Describe the bug
When building a client like this:
or more generally, when using
raise_for_status, any call toclient.get,client.post, etc, can throw aClientResponseError. By default this exception will include the server headers:aiohttp/aiohttp/client_reqrep.py
Line 1007 in 2eccb8b
If the request was authenticated (i.e: if the headers contained an
Authorizationfield) and if the server sends back the headers, the token will be printed out in the exception.This scenario just happened to me:
AuthorizationfieldThis is problematic. I could do this to solve this problem for myself:
But I think good security should be provided by default. I would argue that most requests these days are authenticated and that tokens should never be printed out by default. This could be a very sneaky problem, if some day an API decides to send back some headers with a token it could surprise people.
I see several approaches:
use_headersflag to theraise_for_statusfunction, set to True at first (to not break compatibility), and set to False in a few versionsI am happy to submit a PR if people think it's a good idea.
To Reproduce
The server needs to send back server errors and the get/post needs to fail.
Expected behavior
When a
ClientErroris raised, the headers shouldn't be present in the exception OR we should be able to disable them, to not leak tokens.Logs/tracebacks
Python Version
aiohttp Version
multidict Version
yarl Version
OS
macOS
Related component
Client
Additional context
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: