Dancer2::Core::Error::_censor(): Improve detection of sensitive data. #1206
Conversation
In addition to checking the keys of each hash at each level, we should also check the keys of hashes blessed into classes. We should also check for the values of sensitive keys in key-value pairs in query clauses, e.g., '&pass=my_top_hush_pwrd'. t/error.t: Add subtest block explicitly testing _censor().
|
While working my way through Dancer2::Manual, I encountered errors which dumped my config.yml and session data into the browser, thereby exposing my password. Investigation suggested that Dancer2::Core::Error::_censor() was at fault. Most parts of that subroutine were also unexercised by the test suite. So I revised _censor() and added a test block with dummy data worked up from the error output I encountered earlier in the day. The additional tests may not be in approved Dancer2 style, but they get the job done. Test coverage of Dancer2::Core::Error has been improved as follows: |
|
It might be extra zealous in some situations, but I shouldn't hurt. For me, 👍. |
|
On 07/08/2016 01:21 PM, Alberto Simões wrote:
Thanks for the feedback. After creating the p.r., I got to thinking: Isn't this a candidate for |
|
Yes, that's true. I think that if you want to create one, nobody would oppose to start using it. But that is me speaking (not the core group). |
|
Okay, I might attempt that in a few weeks. In the mean time, I'd like to see if this is an acceptable patch for Dancer2. Thank you very much. |
|
Since there already exists #530 with the same feature request, I will close this request. I hope that some improved detection of sensitive data can be implemented soon. |
|
Let it open,until something is done. :-) |
In addition to checking the keys of each hash at each level, we should also
check the keys of hashes blessed into classes.
We should also check for the values of sensitive keys in key-value pairs in
query clauses, e.g., '&pass=my_top_hush_pwrd'.
t/error.t: Add subtest block explicitly testing _censor().