Toggle on variable in _defaults.py

Delgan · May 11, 2024 · 87eafb8 · 87eafb8
1 parent 2c0b3b5
commit 87eafb8
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 100 deletions.
diff --git a/build_hardened.py b/build_hardened.py
@@ -1,5 +1,16 @@
-import os
-import shutil
+#!/usr/bin/env python
+"""
+Loguru hardened
+---------------
+
+Loguru hardened is a release of loguru which has small patches to make the default use more secure (and less developer friendly).
+
+The following changes make loguru-hardened different:
+
+- Use serialize by default to mitigate possible injection of newlines by logging data injected by malicious user.
+  See https://huntr.com/bounties/73ebb08a-0415-41be-b9b0-0cea067f6771
+- Disable diagnose by default, to keep context information from leaking into the logs.    
+"""
 import subprocess
 
 
@@ -16,26 +27,28 @@ def update_setup_py():
         f.write(setup_py)
 
 
-def replace_with_hardened_files():
-    """Replace the loguru files with hardened versions"""
-    # Walk hardened folder and copy files to loguru folder
-    for root, _, files in os.walk("hardened"):
-        for file in files:
-            assert os.path.isfile(os.path.join("loguru", file))
-            # Copy file to loguru folder
-            shutil.copy(os.path.join(root, file), os.path.join("loguru", file))
-
+def update_defaults_py():
+    """Set HARDENED_BUILD to True in _defaults.py"""
+    defaults_py_path = "loguru/_defaults.py"
+    with open(defaults_py_path, "r") as f:
+        defaults_py = f.read()
+    hardened_defaults = defaults_py.replace("HARDENED_BUILD = False", "HARDENED_BUILD = True")
+    assert hardened_defaults != defaults_py
+    with open(defaults_py_path, "w") as f:
+        f.write(hardened_defaults)
 
 def main():
     """Update the setup.py file for logoru-hardened
 
-    - copy hardened files in place,
+    - patch to become hardened:
+        - setup.py
+        - _defaults.py
     - test
     - build
     - git checkout changes
     """
     update_setup_py()
-    replace_with_hardened_files()
+    update_defaults_py()
     tox_test_result = subprocess.run(["tox", "-e", "tests"])
     tox_test_result.check_returncode()
     build_result = subprocess.run(["python", "-m", "build"])

diff --git a/hardened/README.rst b/hardened/README.rst
diff --git a/hardened/_defaults.py b/hardened/_defaults.py
diff --git a/loguru/_defaults.py b/loguru/_defaults.py
@@ -26,6 +26,7 @@ def env(key, type_, default=None):
             ) from None
     raise ValueError("The requested type '%r' is not supported" % type_)
 
+HARDENED_BUILD = False
 
 LOGURU_AUTOINIT = env("LOGURU_AUTOINIT", bool, True)
 
@@ -39,9 +40,9 @@ def env(key, type_, default=None):
 LOGURU_FILTER = env("LOGURU_FILTER", str, None)
 LOGURU_LEVEL = env("LOGURU_LEVEL", str, "DEBUG")
 LOGURU_COLORIZE = env("LOGURU_COLORIZE", bool, None)
-LOGURU_SERIALIZE = env("LOGURU_SERIALIZE", bool, False)
+LOGURU_SERIALIZE = env("LOGURU_SERIALIZE", bool, True if HARDENED_BUILD else False)
 LOGURU_BACKTRACE = env("LOGURU_BACKTRACE", bool, True)
-LOGURU_DIAGNOSE = env("LOGURU_DIAGNOSE", bool, True)
+LOGURU_DIAGNOSE = env("LOGURU_DIAGNOSE", bool, False if HARDENED_BUILD else True)
 LOGURU_ENQUEUE = env("LOGURU_ENQUEUE", bool, False)
 LOGURU_CONTEXT = env("LOGURU_CONTEXT", str, None)
 LOGURU_CATCH = env("LOGURU_CATCH", bool, True)