[Django] #34965: @sensitive_variables for coroutine func are not recursive

Django

unread,

Nov 12, 2023, 5:04:56 AM11/12/23

to django-...@googlegroups.com

#34965: @sensitive_variables for coroutine func are not recursive
-------------------------------------+-------------------------------------
Reporter: vagi8 | Owner: nobody
Type: | Status: new
Uncategorized |
Component: | Version: 5.0
Uncategorized | Keywords:
Severity: Normal | @sensitive_variables,
Triage Stage: | @sensitive_post_parameters
Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
There is a difference in functionality of how
@sensitive_variables/sensitive_post_parameters work for synchronous
functions and asynchronous functions.

Sync funcs. - It recursively hides the variables from all frames in the
stack until new sensitive variables are defined for a frame. Example,
Wrappers to nested function calls, variables are hidden.
Async funcs. - It only hides the variables in the top most frame of the
stack. Example, If there is view func with sensitive variables, and it
also has a decorator, it hides only in the wrapper and not in the actual
view.

I would expect both to work in similar way. I am also deeply invested in
the idea so I willing to contribute a PR.

--
Ticket URL: <https://code.djangoproject.com/ticket/34965>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,

Nov 12, 2023, 5:14:19 AM11/12/23

to django-...@googlegroups.com

#34965: @sensitive_variables for coroutine func are not recursive
-------------------------------------+-------------------------------------

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by vagi8):

* owner: nobody => vageeshan
* status: new => assigned

--
Ticket URL: <https://code.djangoproject.com/ticket/34965#comment:1>

Django

unread,

Nov 12, 2023, 5:14:29 AM11/12/23

to django-...@googlegroups.com

#34965: @sensitive_variables for coroutine func are not recursive
-------------------------------------+-------------------------------------
Reporter: vagi8 | Owner: vageeshan
Type: Uncategorized | Status: assigned
Component: Uncategorized | Version: 5.0
Severity: Normal | Resolution:
Keywords: | Triage Stage:
@sensitive_variables, | Unreviewed
@sensitive_post_parameters |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by vagi8):

* cc: vagi8 (added)

--
Ticket URL: <https://code.djangoproject.com/ticket/34965#comment:2>

Django

unread,

Nov 12, 2023, 5:16:04 AM11/12/23

to django-...@googlegroups.com

#34965: @sensitive_variables for coroutine func are not recursive
-------------------------------------+-------------------------------------

Reporter: Vageeshan Mankala | Owner: vageeshan
Type: Bug | Status: assigned

Changes (by Vageeshan Mankala):

* cc: Vageeshan Mankala (removed)
* type: Uncategorized => Bug

--
Ticket URL: <https://code.djangoproject.com/ticket/34965#comment:3>

Django

unread,

Nov 12, 2023, 5:17:57 AM11/12/23

to django-...@googlegroups.com

#34965: @sensitive_variables for coroutine func are not recursive
-------------------------------------+-------------------------------------

Reporter: vagi8 | Owner: vageeshan

Needs tests: 0 | Patch needs improvement: 1

Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by vagi8):

* needs_better_patch: 0 => 1

--
Ticket URL: <https://code.djangoproject.com/ticket/34965#comment:4>

Django

unread,

Nov 13, 2023, 3:27:04 AM11/13/23

to django-...@googlegroups.com

#34965: @sensitive_variables for coroutine func are not recursive
-------------------------------------+-------------------------------------

Reporter: Vageeshan Mankala | Owner: vageeshan
Type: Bug | Status: assigned
Component: Core (Other) | Version: 5.0

Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Mariusz Felisiak):

* cc: Jon Janzen (added)
* needs_better_patch: 1 => 0
* component: Uncategorized => Core (Other)

Comment:

#31949

--
Ticket URL: <https://code.djangoproject.com/ticket/34965#comment:5>

Django

unread,

Nov 15, 2023, 3:13:38 AM11/15/23

to django-...@googlegroups.com

#34965: @sensitive_variables for coroutine func are not recursive
-------------------------------------+-------------------------------------
Reporter: Vageeshan Mankala | Owner: vageeshan

Type: Bug | Status: closed

Component: Core (Other) | Version: 5.0

Severity: Normal | Resolution: needsinfo

Keywords: | Triage Stage:
@sensitive_variables, | Unreviewed
@sensitive_post_parameters |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Mariusz Felisiak):

* status: assigned => closed
* resolution: => needsinfo

Comment:

Thanks for the report, I don't think you've explained the issue in enough
detail to confirm a bug in Django. Please reopen the ticket if you can
debug your issue and provide a sample project that reproduces the issue.
Also, be aware that `sync_to_async()` and `async_to_sync()` are not
compatible with `@sensitive_variables` (as
[https://docs.djangoproject.com/en/5.0/howto/error-
reporting/#django.views.decorators.debug.sensitive_variables documented]).

--
Ticket URL: <https://code.djangoproject.com/ticket/34965#comment:6>

Django

unread,

Nov 15, 2023, 10:58:07 PM11/15/23

to django-...@googlegroups.com

#34965: @sensitive_variables for coroutine func are not recursive
-------------------------------------+-------------------------------------
Reporter: Vageeshan Mankala | Owner: vageeshan
Type: Bug | Status: closed
Component: Core (Other) | Version: 5.0
Severity: Normal | Resolution: needsinfo
Keywords: | Triage Stage:
@sensitive_variables, | Unreviewed
@sensitive_post_parameters |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Jon Janzen):

> Also, be aware that sync_to_async() and async_to_sync() are not

compatible with @sensitive_variables (as documented).

We might want to update those docs, as recent versions (>= 3.7.0) will
hide variables from the internals of asgiref:
https://github.com/django/asgiref/pull/383

Changelog note for asgiref:
https://github.com/django/asgiref/blob/main/CHANGELOG.txt#L25

--
Ticket URL: <https://code.djangoproject.com/ticket/34965#comment:7>

Django

unread,

Nov 16, 2023, 12:02:58 AM11/16/23

to django-...@googlegroups.com

#34965: @sensitive_variables for coroutine func are not recursive
-------------------------------------+-------------------------------------
Reporter: Vageeshan Mankala | Owner: vageeshan
Type: Bug | Status: closed
Component: Core (Other) | Version: 5.0
Severity: Normal | Resolution: needsinfo
Keywords: | Triage Stage:
@sensitive_variables, | Unreviewed
@sensitive_post_parameters |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Mariusz Felisiak):

Replying to [comment:7 Jon Janzen]:

> > Also, be aware that sync_to_async() and async_to_sync() are not
compatible with @sensitive_variables (as documented).
>
> We might want to update those docs, as recent versions (>= 3.7.0) will
hide variables from the internals of asgiref:
https://github.com/django/asgiref/pull/383
>
> Changelog note for asgiref:
https://github.com/django/asgiref/blob/main/CHANGELOG.txt#L25

Django 5.0+ required asgiref 3.7+. Do you think it's time to remove this
warning?

--
Ticket URL: <https://code.djangoproject.com/ticket/34965#comment:8>

Django

unread,

Nov 16, 2023, 12:05:53 AM11/16/23

to django-...@googlegroups.com

#34965: @sensitive_variables for coroutine func are not recursive
-------------------------------------+-------------------------------------
Reporter: Vageeshan Mankala | Owner: vageeshan
Type: Bug | Status: closed
Component: Core (Other) | Version: 5.0
Severity: Normal | Resolution: needsinfo
Keywords: | Triage Stage:
@sensitive_variables, | Unreviewed
@sensitive_post_parameters |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Jon Janzen):

> Django 5.0+ required asgiref 3.7+. Do you think it's time to remove this
warning?

Yeah that's probably a good idea, I completely missed that you added this
warning

--
Ticket URL: <https://code.djangoproject.com/ticket/34965#comment:9>

Django

unread,

Nov 16, 2023, 2:41:26 AM11/16/23

to django-...@googlegroups.com

#34965: @sensitive_variables for coroutine func are not recursive
-------------------------------------+-------------------------------------
Reporter: Vageeshan Mankala | Owner: vageeshan
Type: Bug | Status: closed
Component: Core (Other) | Version: 5.0
Severity: Normal | Resolution: needsinfo
Keywords: | Triage Stage:
@sensitive_variables, | Unreviewed
@sensitive_post_parameters |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Mariusz Felisiak):

* cc: Carlton Gibson (added)

Comment:

It was added in b00046d2c25771bed2242680b08b524a44aa9798.

--
Ticket URL: <https://code.djangoproject.com/ticket/34965#comment:10>

Django

unread,

Nov 16, 2023, 7:07:44 AM11/16/23

to django-...@googlegroups.com

#34965: @sensitive_variables for coroutine func are not recursive
-------------------------------------+-------------------------------------
Reporter: Vageeshan Mankala | Owner: vageeshan
Type: Bug | Status: closed
Component: Core (Other) | Version: 5.0
Severity: Normal | Resolution: needsinfo
Keywords: | Triage Stage:
@sensitive_variables, | Unreviewed
@sensitive_post_parameters |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Carlton Gibson):

Thanks for the ping. Yes, with the change to asgiref, it seems reasonable
to drop the warnings. (I didn't check the internal Python frames again,
but they're future related, and don't feature sensitive Django-related
variables…)

--
Ticket URL: <https://code.djangoproject.com/ticket/34965#comment:11>

Django

unread,

Nov 17, 2023, 5:32:43 AM11/17/23

to django-...@googlegroups.com

#34965: @sensitive_variables for coroutine func are not recursive
-------------------------------------+-------------------------------------
Reporter: Vageeshan Mankala | Owner: vageeshan
Type: Bug | Status: closed
Component: Core (Other) | Version: 5.0
Severity: Normal | Resolution: needsinfo
Keywords: | Triage Stage:
@sensitive_variables, | Unreviewed
@sensitive_post_parameters |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Mariusz Felisiak):

Replying to [comment:11 Carlton Gibson]:

> Thanks for the ping. Yes, with the change to asgiref, it seems
reasonable to drop the warnings. (I didn't check the internal Python
frames again, but they're future related, and don't feature sensitive
Django-related variables…)