Skip to content

32998 sanitize auth dicts #92

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pboucher merged 3 commits into from
Oct 23, 2015
Merged

32998 sanitize auth dicts #92

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0ba1562
For #32998 - Make sure auth params are sanitized prior to raising err…
Oct 22, 2015
bafe555
For #32998 - Test for sanitize auth params and bugfix.
Oct 23, 2015
bcb4e24
For #32998 - Bugfix for sanitized auth params test
Oct 23, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 13 additions & 2 deletions shotgun_api3/shotgun.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1379,7 +1379,7 @@ def share_thumbnail(self, entities, thumbnail_path=None, source_entity=None,
except urllib2.HTTPError, e:
if e.code == 500:
raise ShotgunError("Server encountered an internal error. "
"\n%s\n(%s)\n%s\n\n" % (url, params, e))
"\n%s\n(%s)\n%s\n\n" % (url, self._sanitize_auth_params(params), e))
else:
raise ShotgunError("Unanticipated error occurred %s" % (e))
else:
Expand Down Expand Up @@ -1491,7 +1491,7 @@ def upload(self, entity_type, entity_id, path, field_name=None,
except urllib2.HTTPError, e:
if e.code == 500:
raise ShotgunError("Server encountered an internal error. "
"\n%s\n(%s)\n%s\n\n" % (url, params, e))
"\n%s\n(%s)\n%s\n\n" % (url, self._sanitize_auth_params(params), e))
else:
raise ShotgunError("Unanticipated error occurred uploading "
"%s: %s" % (path, e))
Expand Down Expand Up @@ -2097,6 +2097,17 @@ def _auth_params(self):

return auth_params

def _sanitize_auth_params(self, params):
"""
Given an authentication parameter dictionary, sanitize any sensitive
information and return the sanitized dict copy.
"""
sanitized_params = copy.copy(params)
for k in ['user_password', 'script_key', 'session_token']:
if k in sanitized_params:
sanitized_params[k] = '********'
return sanitized_params

def _build_payload(self, method, params, include_auth_params=True):
"""Builds the payload to be send to the rpc endpoint.

Expand Down
20 changes: 20 additions & 0 deletions tests/test_api.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
import uuid
import unittest
import urlparse
import urllib2

import shotgun_api3
from shotgun_api3.lib.httplib2 import Http
Expand Down Expand Up @@ -1469,6 +1470,25 @@ def test_status_not_200(self, mock_request):
mock_request.return_value = (response, {})
self.assertRaises(shotgun_api3.ProtocolError, self.sg.find_one, 'Shot', [])

@patch.object(urllib2.OpenerDirector, 'open')
def test_sanitized_auth_params(self, mock_open):
# Simulate the server blowing up and giving us a 500 error
mock_open.side_effect = urllib2.HTTPError('url', 500, 'message', {}, None)

this_dir, _ = os.path.split(__file__)
thumbnail_path = os.path.abspath(os.path.join(this_dir, "sg_logo.jpg"))

try:
# Try to upload a bogus file
self.sg.upload('Note', 1234, thumbnail_path)
except shotgun_api3.ShotgunError, e:
self.assertFalse(self.api_key in str(e))
return

# You should never get here... Otherwise some mocking failed and the
# except above wasn't properly run
self.assertTrue(False)

# def test_malformed_response(self):
# #TODO ResponseError
# pass
Expand Down