Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Leaks API key on exception #330

Closed
ricardobranco777 opened this issue Sep 19, 2023 · 2 comments
Closed

Leaks API key on exception #330

ricardobranco777 opened this issue Sep 19, 2023 · 2 comments
Assignees
@maxtepkeev
Labels
improvement

Comments

@ricardobranco777
Copy link

The quick way to test it is with no Internet connection:

import os
import logging
from redminelib import Redmine
from redminelib.exceptions import BaseRedmineError
from requests.exceptions import RequestException

URL = os.getenv("URL", "https://progress.opensuse.org")
USER = os.getenv("USER", "test")
API_KEY = "MYAPIKEY"

try:
    client = Redmine(URL, username=USER, key=API_KEY)
    client.issue.get(777)
except (BaseRedmineError, RequestException) as exc:
    logging.error("%s", exc)

ERROR:root:HTTPSConnectionPool(host='progress.opensuse.org', port=443): Max retries exceeded with url: /issues/777.json?key=MYAPIKEY (Caused by NameResolutionError("<urllib3.connection.HTTPSConnection object at 0x7fa218b31450>: Failed to resolve 'progress.opensuse.org' ([Errno -3] Temporary failure in name resolution)"))

The only workaround is to catch requests.exceptions.ConnectionError.
@ricardobranco777 ricardobranco777 mentioned this issue Sep 19, 2023
Merged
@ricardobranco777
Copy link
Author

ricardobranco777 commented Sep 26, 2023
edited

Tracking in https://bugzilla.suse.com/show_bug.cgi?id=1215722

bmwiedemann pushed a commit to bmwiedemann/openSUSE that referenced this issue Oct 2, 2023
@bmwiedemann
Update python-python-redmine to version 2.4.0 / rev 7 via SR 1114261
da243f4 
https://build.opensuse.org/request/show/1114261
by user dirkmueller + anag+factory
- Add 328.patch to workaround "API key leakage on exception"
  described in boo#1215722
  maxtepkeev/python-redmine#330
  maxtepkeev/python-redmine#328
@maxtepkeev maxtepkeev self-assigned this Mar 3, 2024
@maxtepkeev
Copy link
Owner

Fixed in #328. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maxtepkeev maxtepkeev

Labels
improvement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@maxtepkeev @ricardobranco777