security: fix #3 — redact URL in BooruClient._log_request

The httpx request event hook converts request.url to a str so log_connection can parse it — at that point the credential query params (login, api_key, etc.) are in scope and could be captured by any traceback, debug hook, or monitoring agent observing the hook call. Pipe through redact_url() first so the rendered string never carries the secrets, even transiently. Audit-Ref: SECURITY_AUDIT.md finding #3 Severity: Medium
2026-04-11 16:12:28 -05:00 · 2026-04-11 16:12:28 -05:00 · d6909bf4d7
commit d6909bf4d7
parent c735db0c68
1 changed files with 6 additions and 2 deletions
--- a/booru_viewer/core/api/base.py
+++ b/booru_viewer/core/api/base.py
@ -12,7 +12,7 @@ import httpx

 from ..config import USER_AGENT, DEFAULT_PAGE_SIZE
 from ..cache import log_connection
-from ._safety import validate_public_request
+from ._safety import redact_url, validate_public_request

 log = logging.getLogger("booru")

@ -133,7 +133,11 @@ class BooruClient(ABC):

    @staticmethod
    async def _log_request(request: httpx.Request) -> None:
-        log_connection(str(request.url))
+        # Redact api_key / login / user_id / password_hash from the
+        # URL before it ever crosses the function boundary — the
+        # rendered URL would otherwise land in tracebacks, debug logs,
+        # or in-app connection-log views as plaintext.
+        log_connection(redact_url(str(request.url)))

    _RETRYABLE_STATUS = frozenset({429, 503})