[Django] #37170: No-argument form of @sensitive_post_parameters() doesn't cleanse request.POST

[Django]

#37170: No-argument form of @sensitive_post_parameters() doesn't cleanse
request.POST
-------------------------------------------+------------------------------
Reporter: Jacob Walls | Owner: Jacob Walls
Type: Bug | Status: assigned
Component: Error reporting | Version: dev
Severity: Normal | Keywords: not-security
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------------+------------------------------
The Security Team closed an informative report about the no-argument form
of `@sensitive_post_parameters()` not cleansing request.POST, as you can
see from adjusting this existing test:

{{{#!diff
diff --git a/tests/view_tests/views.py b/tests/view_tests/views.py
index 1986341177..835fe22111 100644
--- a/tests/view_tests/views.py
+++ b/tests/view_tests/views.py
@@ -398,7 +398,7 @@ async def async_sensitive_method_view_nested(request):


@sensitive_variables("sauce")
-@sensitive_post_parameters("bacon-key", "sausage-key")
+@sensitive_post_parameters()
def multivalue_dict_key_error(request):
cooked_eggs = "".join(["s", "c", "r", "a", "m", "b", "l", "e", "d"])
# NOQA
sauce = "".join( # NOQA
}}}
{{{#!py
AssertionError: 2 != 0 :'sausage-value' unexpectedly found in the
following response
}}}


... but the exception reporter filter is not in-scope for security issues,
as filtering is done on a [https://docs.djangoproject.com/en/dev/howto
/error-reporting/#filtering-error-reports best-efforts basis].

Looks like an oversight in #21098.
--
Ticket URL: <https://code.djangoproject.com/ticket/37170>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#37170: No-argument form of @sensitive_post_parameters() doesn't cleanse
request.POST

---------------------------------+---------------------------------------

Reporter: Jacob Walls | Owner: Jacob Walls
Type: Bug | Status: assigned
Component: Error reporting | Version: dev

Severity: Normal | Resolution:

Keywords: not-security | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

---------------------------------+---------------------------------------
Description changed by Jacob Walls:

Old description:

New description:

The Security Team closed an informative report about the no-argument form
of `@sensitive_post_parameters()` not cleansing request.POST, as you can
see from adjusting this existing test:

{{{#!diff
diff --git a/tests/view_tests/views.py b/tests/view_tests/views.py
index 1986341177..835fe22111 100644
--- a/tests/view_tests/views.py
+++ b/tests/view_tests/views.py
@@ -398,7 +398,7 @@ async def async_sensitive_method_view_nested(request):


@sensitive_variables("sauce")
-@sensitive_post_parameters("bacon-key", "sausage-key")
+@sensitive_post_parameters()
def multivalue_dict_key_error(request):
cooked_eggs = "".join(["s", "c", "r", "a", "m", "b", "l", "e", "d"])
# NOQA
sauce = "".join( # NOQA
}}}
{{{#!py
AssertionError: 2 != 0 :'sausage-value' unexpectedly found in the
following response
}}}


... but the exception reporter filter is not in-scope for security issues,
as filtering is done on a [https://docs.djangoproject.com/en/dev/howto
/error-reporting/#filtering-error-reports best-efforts basis].

Looks like an oversight in #21098.

Thanks LocalHost for the report.

--
--
Ticket URL: <https://code.djangoproject.com/ticket/37170#comment:1>

[Django]

#37170: No-argument form of @sensitive_post_parameters() doesn't cleanse
request.POST
---------------------------------+---------------------------------------
Reporter: Jacob Walls | Owner: Jacob Walls
Type: Bug | Status: assigned
Component: Error reporting | Version: dev
Severity: Normal | Resolution:

Keywords: not-security | Triage Stage: Accepted

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+---------------------------------------

Changes (by Natalia Bidart):

* stage: Unreviewed => Accepted

--
Ticket URL: <https://code.djangoproject.com/ticket/37170#comment:2>

[Django]

#37170: No-argument form of @sensitive_post_parameters() doesn't cleanse
request.POST
---------------------------------+---------------------------------------
Reporter: Jacob Walls | Owner: Jacob Walls
Type: Bug | Status: assigned
Component: Error reporting | Version: dev
Severity: Normal | Resolution:
Keywords: not-security | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+---------------------------------------

Changes (by Jacob Walls):

* has_patch: 0 => 1

Comment:

[https://github.com/django/django/pull/21510 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/37170#comment:3>