pax d6909bf4d7 security: fix #3 — redact URL in BooruClient._log_request ...

The httpx request event hook converts request.url to a str so
log_connection can parse it — at that point the credential query
params (login, api_key, etc.) are in scope and could be captured
by any traceback, debug hook, or monitoring agent observing the
hook call. Pipe through redact_url() first so the rendered string
never carries the secrets, even transiently.

Audit-Ref: SECURITY_AUDIT.md finding #3
Severity: Medium

2026-04-11 16:12:28 -05:00

..

__init__.py

Initial release — booru image viewer with Qt6 GUI and Textual TUI

2026-04-04 06:00:50 -05:00

_safety.py

security: fix #1 — add public-host validator helper

2026-04-11 16:09:53 -05:00

base.py

security: fix #3 — redact URL in BooruClient._log_request

2026-04-11 16:12:28 -05:00

category_fetcher.py

category_fetcher: fix _do_ensure to try batch API when not yet probed

2026-04-09 19:53:20 -05:00

danbooru.py

danbooru: populate categories in get_post (latent bug fix)

2026-04-09 19:13:52 -05:00

detect.py

security: fix #1 — wire SSRF hook into detect_site_type client

2026-04-11 16:11:37 -05:00

e621.py

security: fix #1 — wire SSRF hook into E621Client custom client

2026-04-11 16:11:12 -05:00

gelbooru.py

gelbooru: re-add background prefetch for batch API fast path only

2026-04-09 20:01:34 -05:00

moebooru.py

gelbooru+moebooru: drop background prefetch from search, fetch on demand

2026-04-09 19:48:04 -05:00