Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🔒️ Maintenance: Fixes issues detected by code scanning #5207

Merged
merged 9 commits into from
Jan 3, 2024
Merged

🔒️ Maintenance: Fixes issues detected by code scanning #5207

merged 9 commits into from
Jan 3, 2024

Conversation

pcrespov
Copy link
Member

@pcrespov pcrespov commented Dec 29, 2023
edited
Loading

What do these changes do?

Fixes Clear-text logging of sensitive information detected by code-scanning alerts 27, 28, 29 (in osparc variables), 18 (in log decorators) and

  • ✨ adds mask_sensitive_data to mask values in a dict[str, Any]
    • ♻️ uses mask_sensitive_data in existing log functions

Related issue/s

Unnecessary logs:

Mask secrets in logs:

@codecov Codecov
Copy link

codecov bot commented Dec 29, 2023
edited
Loading

Codecov Report

Attention: 2 lines in your changes are missing coverage. Please review.

Comparison is base (9b5cf5a) 87.3% compared to head (063330b) 86.9%.

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff            @@
##           master   #5207     +/-   ##
========================================
- Coverage    87.3%   86.9%   -0.4%     
========================================
  Files        1291    1031    -260     
  Lines       52918   44433   -8485     
  Branches     1158     605    -553     
========================================
- Hits        46231   38643   -7588     
+ Misses       6437    5649    -788     
+ Partials      250     141    -109
Flag Coverage Δ
integrationtests 64.9% <0.0%> (+<0.1%) ⬆️
unittests 84.3% <90.9%> (-0.9%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Coverage Δ
...vice-library/src/servicelib/fastapi/httpx_utils.py 88.0% <100.0%> (-0.5%) ⬇️
...es/service-library/src/servicelib/logging_utils.py 72.7% <100.0%> (+0.3%) ⬆️
...es/service-library/src/servicelib/utils_secrets.py 92.3% <100.0%> (+3.4%) ⬆️
...ector_v2/modules/osparc_variables_substitutions.py 77.4% <0.0%> (+0.4%) ⬆️

... and 266 files with indirect coverage changes

@pcrespov pcrespov self-assigned this Dec 29, 2023
@pcrespov pcrespov added t:maintenance Some planned maintenance work security Pull requests that address a security vulnerability labels Dec 29, 2023
@pcrespov pcrespov added this to the Kobayashi Maru milestone Dec 29, 2023
@pcrespov pcrespov marked this pull request as ready for review December 29, 2023 17:59
@pcrespov pcrespov mentioned this pull request Dec 29, 2023
Closed
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Dec 29, 2023

Quality Gate Passed Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@pcrespov pcrespov enabled auto-merge (squash) December 30, 2023 11:41
GitHK
GitHK approved these changes Jan 2, 2024
View reviewed changes
Copy link
Contributor

@GitHK GitHK left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good with me, this will make it les likely to leak secrets

packages/service-library/src/servicelib/utils_secrets.py Show resolved Hide resolved
packages/service-library/src/servicelib/logging_utils.py
@@ -135,8 +137,13 @@ def test_logger_propagation(logger: logging.Logger):
def _log_arguments(
logger_obj: logging.Logger, level: int, func: Callable, *args, **kwargs
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

at this point it would make sense to drop the *args, but I don't think that is doable. since secrets can still escape via it.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see your point. That is indeed what I suggested in the comment.But to remove *args it requires reviewing all the references to this call.

packages/service-library/tests/fastapi/test_httpx_utils.py
@@ -61,7 +62,7 @@ async def test_to_curl_command(client: AsyncClient):

assert (
cmd_short
== 'curl -X POST -H "host: test_base_http_api" -H "accept: */*" -H "accept-encoding: gzip, deflate" -H "connection: keep-alive" -H "user-agent: python-httpx/0.25.0" -H "x-secret: *****" -H "content-length: 9" -H "content-type: application/json" -d \'{"y": 12}\' https://test_base_http_api/foo?x=3'
== f'curl -X POST -H "host: test_base_http_api" -H "accept: */*" -H "accept-encoding: gzip, deflate" -H "connection: keep-alive" -H "user-agent: python-httpx/0.25.0" -H "x-secret: {_PLACEHOLDER}" -H "content-length: 9" -H "content-type: application/json" -d \'{{"y": 12}}\' https://test_base_http_api/foo?x=3'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Q: is this change correct? I would have expected for the secret to be naked like it was before.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what do you mean by naked? This is as it was before but instead of hard-coding the ***s I am using the placeholder

packages/service-library/tests/fastapi/test_httpx_utils.py Show resolved Hide resolved
matusdrobuliak66
matusdrobuliak66 approved these changes Jan 3, 2024
View reviewed changes
Copy link
Contributor

@matusdrobuliak66 matusdrobuliak66 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks 👍

@pcrespov pcrespov disabled auto-merge January 3, 2024 08:42
@pcrespov pcrespov merged commit 21ea75e into ITISFoundation:master Jan 3, 2024
54 checks passed
@pcrespov pcrespov deleted the maintenance/code-scanning branch January 3, 2024 08:51
@matusdrobuliak66 matusdrobuliak66 mentioned this pull request Jan 9, 2024
Closed
17 tasks
@matusdrobuliak66 matusdrobuliak66 mentioned this pull request Feb 14, 2024
Closed
39 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matusdrobuliak66 matusdrobuliak66 matusdrobuliak66 approved these changes

@GitHK GitHK GitHK approved these changes

@wvangeit wvangeit wvangeit approved these changes

@sanderegg sanderegg Awaiting requested review from sanderegg sanderegg is a code owner

@bisgaard-itis bisgaard-itis Awaiting requested review from bisgaard-itis

Assignees

@pcrespov pcrespov

Labels
security Pull requests that address a security vulnerability t:maintenance Some planned maintenance work
Projects
None yet
Milestone
Kobayashi Maru
Development

Successfully merging this pull request may close these issues.
4 participants
@pcrespov @wvangeit @GitHK @matusdrobuliak66