Issue
Django's builtin capability of emailing admins upon errors (see https://docs.djangoproject.com/en/dev/howto/error-reporting/) is quite handy.
However, these traceback emails include a full dump of environment variables.
And as advised in the django docs & elsewhere (e.g. https://docs.djangoproject.com/en/dev/howto/deployment/checklist/) I've moved some secrets/keys/passwords into environment variables as a simple way to keep them away from the codebase & vary them across deployments. Unfortunately this means that when there's a crash report these secrets get sent in the clear to a set of email accounts. Not a good practice.
The django ExceptionReporter has basic filtering to pull out "dangerous or offensive" settings, so e.g. the value of any item in settings.py whose name contains the strings "pass" or "key" will be replaced with ****s. Thus a secret key in settings.py gets edited out. But this filter is not applied to environment variables, which appear in both the Traceback->Local vars->request and Request Information->Meta sections of these error reports.
Obviously there are other ways to manage secrets but the unix environment is a pretty common solution for small sites where creating a more complex configuration system isn't warranted.
It also seems problematic that these two practices, both recommended in the basic django docs, are unsafe when applied together.
Emailing around site debug information always carries some risk of leaking information, but this seems like a significant omission that could be addressed by expanded filtering, perhaps controlled by some setting.
Has anyone already patched this (presumably expanding the filtering in django/views/debug.py) for their deployment and/or submitted a patch to the django team? Or am I missing some other obvious way to address this?
Solution
OK, missed this in my previous checking, but apparently the django team had approximately this bug logged & closed it as will-not-fix 6 years ago:
https://code.djangoproject.com/ticket/7472
I will take it up with them, since I believe that django has made substantial security progress in the intervening time and now may want to, and have some simple ways to, address this. :)
In the meantime, if you use this email-the-admins function please be cognizant of the risk. If you send these emails then I would strongly urge you to leave or place all secrets/passwords/keys/certs/etc in python config files, and to ensure you are scrubbing the (unix) environment that is passed to your django web service.
Answered By - geewiz
0 comments:
Post a Comment
Note: Only a member of this blog may post a comment.