Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ResilientSession: do not log request data on ConnectionError #928

Merged
merged 3 commits into from
May 25, 2021
Merged

ResilientSession: do not log request data on ConnectionError #928

merged 3 commits into from
May 25, 2021

Conversation

Flupp
Copy link
Contributor

@Flupp Flupp commented Apr 17, 2020

The request data may contain secrets, e.g., a plaintext password when using basic auth. Therefore the request data shall not be logged.

In version 2.0.0, the basic auth login credentials were logged when a ConnectionError was triggered by an invalid SSL certificate. With current master this is not the case anymore, however, the problem might still occur under other circumstances.

@Flupp Flupp mentioned this pull request Oct 12, 2020
Closed
@studioj studioj closed this May 11, 2021
@studioj studioj reopened this May 11, 2021
@studioj
Copy link
Collaborator

studioj commented May 11, 2021

@Flupp would you be able to write a test for it? since CI is up and running ...

@Flupp
Copy link
Contributor Author

Flupp commented May 13, 2021

I tried coming up with a test for checking that ResilientSession writes no sensitive data to the log.

While doing that I noticed and fixed another problem; see ef184c7.

@Flupp
Copy link
Contributor Author

Flupp commented May 13, 2021

Addressed CI linting errors.

@Flupp
Copy link
Contributor Author

Flupp commented May 16, 2021

Rebased and resolved merge conflicts. The problem I fixed in ef184c7 was fixed by 6e51395 in the meantime.

I also silenced a false positive Codacy Static Code Analysis warning by renaming a variable. Some of the remaining warnings disagree with black.

studioj
studioj reviewed May 16, 2021
View reviewed changes
@Flupp
Copy link
Contributor Author

Flupp commented May 22, 2021

Rebased and fixed merge conflicts introduced by d1f244c.

Flupp added 3 commits May 24, 2021 17:59
@Flupp
ResilientSession: make maximal retry delay configurable
b331f6a
@Flupp
ResilientSession: do not log request data on ConnectionError
6f78518 
The request data may contain secrets, e.g., a plaintext password when
using basic auth. Therefore the request data shall not be logged.
@Flupp
test that no sensitive data is written to the log
1545a7b 
The test checks that no sensitive data is written to the log in case of
a connection errors.
@Flupp
Copy link
Contributor Author

Flupp commented May 24, 2021

Rebased and fixed timeout issue in test by introducing configurable maximal retry delay in b331f6a.

studioj
studioj reviewed May 24, 2021
View reviewed changes
jira/resilientsession.py
@@ -129,7 +130,7 @@ def __recoverable(
msg = "Atlassian's bug https://jira.atlassian.com/browse/JRA-41559"

# Exponential backoff with full jitter.
delay = min(60, 10 * 2 ** counter) * random.random()
delay = min(self.max_retry_delay, 10 * 2 ** counter) * random.random()
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@studioj
Copy link
Collaborator

studioj commented May 24, 2021

the codacy fail can be ignored i think https://app.codacy.com/gh/pycontribs/jira/pullRequest?prid=7435641

@Flupp
Copy link
Contributor Author

Flupp commented May 24, 2021

Do I have to do something to ignore the Codacy warning (like adding some annotation in the code) or will you just silently ignore the warning?

@studioj
Copy link
Collaborator

studioj commented May 24, 2021

Do I have to do something to ignore the Codacy warning (like adding some annotation in the code) or will you just silently ignore the warning?

@ssbarnea should "approve" it in the tool i think

@studioj studioj requested review from adehad and ssbarnea May 24, 2021 17:35
@ssbarnea
Copy link
Member

FYI, I removed codacity, too much false positives.

@ssbarnea ssbarnea merged commit 07f246a into pycontribs:master May 25, 2021
svermeulen pushed a commit to svermeulen/jira that referenced this pull request Oct 31, 2021
@Flupp @svermeulen
ResilientSession: do not log request data on ConnectionError (pycontr…
a98106c 
…ibs#928)

* ResilientSession: make maximal retry delay configurable

* ResilientSession: do not log request data on ConnectionError

The request data may contain secrets, e.g., a plaintext password when
using basic auth. Therefore the request data shall not be logged.

* test that no sensitive data is written to the log

The test checks that no sensitive data is written to the log in case of
a connection errors.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@studioj studioj studioj approved these changes

@adehad adehad adehad approved these changes

@ssbarnea ssbarnea Awaiting requested review from ssbarnea

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Flupp @studioj @ssbarnea @adehad