security: fix #3 — redact params in DanbooruClient debug log
The log.debug(f" params: {params}") line in search() previously
dumped login + api_key to the booru logger at DEBUG level. Route
the params dict through redact_params() so the keys are replaced
with *** before formatting.
Audit-Ref: SECURITY_AUDIT.md finding #3
Severity: Medium
This commit is contained in:
parent
d6909bf4d7
commit
9a3bb697ec
@ -5,6 +5,7 @@ from __future__ import annotations
|
|||||||
import logging
|
import logging
|
||||||
|
|
||||||
from ..config import DEFAULT_PAGE_SIZE
|
from ..config import DEFAULT_PAGE_SIZE
|
||||||
|
from ._safety import redact_params
|
||||||
from .base import BooruClient, Post, _parse_date
|
from .base import BooruClient, Post, _parse_date
|
||||||
|
|
||||||
log = logging.getLogger("booru")
|
log = logging.getLogger("booru")
|
||||||
@ -23,7 +24,7 @@ class DanbooruClient(BooruClient):
|
|||||||
|
|
||||||
url = f"{self.base_url}/posts.json"
|
url = f"{self.base_url}/posts.json"
|
||||||
log.info(f"GET {url}")
|
log.info(f"GET {url}")
|
||||||
log.debug(f" params: {params}")
|
log.debug(f" params: {redact_params(params)}")
|
||||||
resp = await self._request("GET", url, params=params)
|
resp = await self._request("GET", url, params=params)
|
||||||
log.info(f" -> {resp.status_code}")
|
log.info(f" -> {resp.status_code}")
|
||||||
if resp.status_code != 200:
|
if resp.status_code != 200:
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user