From d81f411bff2da7347c343a83e17f5814475b5b64 Mon Sep 17 00:00:00 2001 From: amercader Date: Wed, 6 Mar 2024 12:28:51 +0100 Subject: [PATCH] Use repr for logging user input --- ckan/common.py | 9 +++++++++ ckan/views/user.py | 7 +++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/ckan/common.py b/ckan/common.py index 3d8fde56ac8..a48115ad1cd 100644 --- a/ckan/common.py +++ b/ckan/common.py @@ -261,6 +261,15 @@ def aslist(obj: Any, sep: Optional[str] = None, strip: bool = True) -> Any: return [obj] +def repr_untrusted(danger: Any): + """ + repr-format danger and truncate e.g. for logging untrusted input + """ + r = repr(danger) + rtrunc = r[:200] + return rtrunc + '…' if r != rtrunc else r + + local = Local() # This a proxy to the bounded config object diff --git a/ckan/views/user.py b/ckan/views/user.py index 89de7c1d869..150c049c804 100644 --- a/ckan/views/user.py +++ b/ckan/views/user.py @@ -24,7 +24,8 @@ import ckan.plugins as plugins from ckan import authz from ckan.common import ( - _, config, g, request, current_user, login_user, logout_user, session + _, config, g, request, current_user, login_user, logout_user, session, + repr_untrusted ) from ckan.types import Context, Schema, Response from ckan.lib import signals @@ -649,7 +650,7 @@ def post(self) -> Response: if id in (None, u''): h.flash_error(_(u'Email is required')) return h.redirect_to(u'user.request_reset') - log.info(u'Password reset requested for user "{}"'.format(id)) + log.info(u'Password reset requested for user %s', repr_untrusted(id)) context = cast( Context, { @@ -692,6 +693,8 @@ def post(self) -> Response: pass if not user_objs: + log.info(u'User requested reset link for unknown user: %s', + repr_untrusted(id)) log.info(u'User requested reset link for unknown user: {}' .format(id))