Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(core): hide sensitive data from error messages #85

Merged
merged 1 commit into from
Oct 21, 2019
Merged

fix(core): hide sensitive data from error messages #85

merged 1 commit into from
Oct 21, 2019

Conversation

eliangcs
Copy link
Member

@eliangcs eliangcs commented Oct 18, 2019
edited
Loading

URL querystring may contain sensitive data so shouldn't be shown in the error message.

Fixes https://github.com/zapier/zapier/issues/32319.

@eliangcs eliangcs requested a review from xavdid as a code owner October 18, 2019 06:57
xavdid
xavdid approved these changes Oct 18, 2019
View reviewed changes
Copy link
Contributor

@xavdid xavdid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool, so this does solve the problem.

I'm wondering if there was a reason you didn't keep the query, but use the existing censoring tools. I can imagine a situation where it's helpful to see the innocuous query contents while ensuring we don't leak secret things.

I'm also worried that there are other situations where data in the auth mapping doesn't get censored (since it's not added to bundle.authData or process.env, what we source the secure bundle from.

In any case, this is probably fine to ship. thanks for grabbing!

@eliangcs eliangcs changed the title fix(core): strip URL querystring from error message fix(core, legacy-scripting-runner): hide sensitive data from error messages Oct 21, 2019
@eliangcs eliangcs force-pushed the strip-querystring-from-error-message branch from 27a78de to c737413 Compare October 21, 2019 07:52
@eliangcs eliangcs changed the title fix(core, legacy-scripting-runner): hide sensitive data from error messages fix(core): hide sensitive data from error messages Oct 21, 2019
@eliangcs eliangcs merged commit d90c29d into master Oct 21, 2019
@eliangcs eliangcs deleted the strip-querystring-from-error-message branch October 21, 2019 08:07
@eliangcs eliangcs mentioned this pull request Oct 21, 2019
Closed
@xavdid xavdid mentioned this pull request Apr 4, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xavdid xavdid xavdid approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@eliangcs @xavdid