Merge pull request #69 from snok/mitigate-log4shell-alike-attacks

Remove logging of invalid headers if they are not safe
snok · Dec 13, 2021 · 90d541a · 90d541a
2 parents 8f464a9 + 86e972d
commit 90d541a
Show file tree

Hide file tree

Showing 10 changed files with 253 additions and 169 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -43,7 +43,7 @@ jobs:
       fail-fast: false
       matrix:
         python-version: [ "3.7", "3.8", "3.9", "3.10" ]
-        django-version: [ "3.1.4", "3.2" ]
+        django-version: [ "3.1.4", "3.2", "4.0" ]
     steps:
       - uses: actions/checkout@v2
       - uses: actions/setup-python@v2

diff --git a/django_guid/__init__.py b/django_guid/__init__.py
@@ -1,6 +1,6 @@
 from django_guid.api import clear_guid, get_guid, set_guid  # noqa F401
 
-__version__ = '3.2.0'
+__version__ = '3.2.1'
 default_app_config = 'django_guid.apps.DjangoGuidConfig'
 
 __all__ = ['clear_guid', 'get_guid', 'set_guid']
diff --git a/django_guid/api.py b/django_guid/api.py
@@ -31,4 +31,3 @@ def clear_guid() -> None:
     if old_guid:
         logger.info('Clearing %s from the guid ContextVar', old_guid)
     guid.set(None)
-    return
diff --git a/django_guid/middleware.py b/django_guid/middleware.py
@@ -32,7 +32,6 @@ def process_incoming_request(request: HttpRequest) -> None:
         for integration in settings.integrations:
             logger.debug('Running integration: `%s`', integration.identifier)
             integration.run(guid=guid.get())
-    return
 
 
 def process_outgoing_request(response: HttpResponse, request: HttpRequest) -> None:
@@ -49,7 +48,6 @@ def process_outgoing_request(response: HttpResponse, request: HttpRequest) -> No
         for integration in settings.integrations:
             logger.debug('Running tear down for integration: `%s`', integration.identifier)
             integration.cleanup()
-    return
 
 
 @sync_and_async_middleware

diff --git a/django_guid/signals.py b/django_guid/signals.py
@@ -25,4 +25,3 @@ def clear_guid(sender: Optional[dict], **kwargs: Any) -> None:
     """
     logger.debug('Received signal `request_finished`, clearing guid')
     guid.set(None)
-    return
diff --git a/django_guid/utils.py b/django_guid/utils.py
@@ -15,7 +15,7 @@ def get_correlation_id_from_header(request: HttpRequest) -> str:
     :param request: HttpRequest object
     :return: GUID
     """
-    given_guid = str(request.headers.get(settings.guid_header_name))
+    given_guid: str = str(request.headers.get(settings.guid_header_name))
     if not settings.validate_guid:
         logger.debug('Returning ID from header without validating it as a GUID')
         return given_guid
@@ -24,7 +24,10 @@ def get_correlation_id_from_header(request: HttpRequest) -> str:
         return given_guid
     else:
         new_guid = generate_guid()
-        logger.warning('%s is not a valid GUID. New GUID is %s', given_guid, new_guid)
+        if all(letter.isalnum() or letter == '-' for letter in given_guid):
+            logger.warning('%s is not a valid GUID. New GUID is %s', given_guid, new_guid)
+        else:
+            logger.warning('Non-alnum %s provided. New GUID is %s', settings.guid_header_name, new_guid)
         return new_guid
 
 
@@ -38,7 +41,7 @@ def get_id_from_header(request: HttpRequest) -> str:
     """
     header: str = request.headers.get(settings.guid_header_name)  # Case insensitive headers.get added in Django2.2
     if header:
-        logger.info('%s found in the header: %s', settings.guid_header_name, header)
+        logger.info('%s found in the header', settings.guid_header_name)
         request.correlation_id = get_correlation_id_from_header(request)
     else:
         request.correlation_id = generate_guid()
@@ -80,5 +83,4 @@ def validate_guid(original_guid: str) -> bool:
     try:
         return bool(uuid.UUID(original_guid, version=4).hex)
     except ValueError:
-        logger.warning('Failed to validate GUID %s', original_guid)
         return False