zulip/zerver/filters.py

from __future__ import absolute_import

from typing import Any

from django.views.debug import SafeExceptionReporterFilter
from django.http import HttpRequest, build_request_repr

class ZulipExceptionReporterFilter(SafeExceptionReporterFilter):
    def get_post_parameters(self, request):
        # type: (HttpRequest) -> Dict[str, Any]
        filtered_post = SafeExceptionReporterFilter.get_post_parameters(self, request).copy()
        filtered_vars = ['content', 'secret', 'password', 'key', 'api-key', 'subject', 'stream',
                         'subscriptions', 'to', 'csrfmiddlewaretoken', 'api_key']

        for var in filtered_vars:
            if var in filtered_post:
                filtered_post[var] = '**********'
        return filtered_post
    def get_request_repr(self, request):
        # type: (HttpRequest) -> str
        if request is None:
            return repr(None)
        else:
            return build_request_repr(request,
                                      POST_override=self.get_post_parameters(request),
                                      COOKIES_override="**********",
                                      META_override="**********")
Enable absolute imports. See PEP 328[1] for details. This feature was introduced in Python 2.5 and will become mandatory in Python 3. [1]: http://www.python.org/dev/peps/pep-0328 (imported from commit 7444eeba8a08d5f91b94c7921848f2274979bd76) 2013-04-23 18:51:17 +02:00			`from __future__ import absolute_import`

Annotate zerver.exceptions, zerver.filters, zerver.logging_handlers. 2016-06-05 07:51:18 +02:00			`from typing import Any`

Filter out "content" and "secret" from exceptions. (imported from commit 31206f528fc93746133ebe2d9234b6ce0b88cf3b) 2012-12-07 23:00:13 +01:00			`from django.views.debug import SafeExceptionReporterFilter`
Annotate zerver.exceptions, zerver.filters, zerver.logging_handlers. 2016-06-05 07:51:18 +02:00			`from django.http import HttpRequest, build_request_repr`
Filter out "content" and "secret" from exceptions. (imported from commit 31206f528fc93746133ebe2d9234b6ce0b88cf3b) 2012-12-07 23:00:13 +01:00
Change Humbug => Zulip in name of exception filter module. (imported from commit 87d4a45834f605a83fa5f9286217258dafaa1b92) 2013-08-06 21:38:05 +02:00			`class ZulipExceptionReporterFilter(SafeExceptionReporterFilter):`
Filter out "content" and "secret" from exceptions. (imported from commit 31206f528fc93746133ebe2d9234b6ce0b88cf3b) 2012-12-07 23:00:13 +01:00			`def get_post_parameters(self, request):`
Annotate zerver.exceptions, zerver.filters, zerver.logging_handlers. 2016-06-05 07:51:18 +02:00			`# type: (HttpRequest) -> Dict[str, Any]`
Filter out additional sensitive POST params This should really be handled on a per-method basis, but in general we don't want "password" or "key" to be sent to us for security reasons. Addresses trac #569. (imported from commit 1c246fce00f3740977c595641341ee36eb5ed831) 2012-12-19 08:20:49 +01:00			`filtered_post = SafeExceptionReporterFilter.get_post_parameters(self, request).copy()`
Filter out api-key, not api_key We don't use the latter anywhere in our API, and this typo caused user API keys to be emailed / humbugged places. (imported from commit d0402e8e9fd587f6a9018c962d222fb5f9ceca48) 2013-01-23 17:35:49 +01:00			`filtered_vars = ['content', 'secret', 'password', 'key', 'api-key', 'subject', 'stream',`
Add api_key to filtered variables. We don't use it yet, but the plan is the migrate there and it's better to just have the filtering in place. (imported from commit d0e7f40e8a439b8e8751da954e79b5f67226e5a9) 2013-12-11 17:53:11 +01:00			`'subscriptions', 'to', 'csrfmiddlewaretoken', 'api_key']`
Filter out additional sensitive POST params This should really be handled on a per-method basis, but in general we don't want "password" or "key" to be sent to us for security reasons. Addresses trac #569. (imported from commit 1c246fce00f3740977c595641341ee36eb5ed831) 2012-12-19 08:20:49 +01:00
			`for var in filtered_vars:`
			`if var in filtered_post:`
			`filtered_post[var] = '**********'`
Filter out "content" and "secret" from exceptions. (imported from commit 31206f528fc93746133ebe2d9234b6ce0b88cf3b) 2012-12-07 23:00:13 +01:00			`return filtered_post`
Filter out all cookies and the csrfmiddlewaretoken. We also remove META here since it rarely contains anything useful, and often contains sensitive environment vars. (imported from commit 2909613f9f52684bef9175600961801104644c75) 2013-01-25 19:34:07 +01:00			`def get_request_repr(self, request):`
Annotate zerver.exceptions, zerver.filters, zerver.logging_handlers. 2016-06-05 07:51:18 +02:00			`# type: (HttpRequest) -> str`
Filter out all cookies and the csrfmiddlewaretoken. We also remove META here since it rarely contains anything useful, and often contains sensitive environment vars. (imported from commit 2909613f9f52684bef9175600961801104644c75) 2013-01-25 19:34:07 +01:00			`if request is None:`
			`return repr(None)`
			`else:`
			`return build_request_repr(request,`
			`POST_override=self.get_post_parameters(request),`
			`COOKIES_override="**********",`
			`META_override="**********")`