Error Ticket Includes Sensitive Information

[zm]

The error tickets created by the framework are great for debugging, however depending on where a failure can include, they can include very sensitive information like user ID + password combinations.

Is it possible to filter certain fields out of the tickets such as user name / password?  It seems like snapshot could be updated to include some sort of filter.   

[Dave S]

On Monday, March 25, 2019 at 10:57:00 AM UTC-7, zm wrote:

The error tickets created by the framework are great for debugging, however depending on where a failure can include, they can include very sensitive information like user ID + password combinations.

Is it possible to filter certain fields out of the tickets such as user name / password?  It seems like snapshot could be updated to include some sort of filter.   

The tickets are only visible (out of the box, at least) to the Admin account.  Exposing passwords to the Admin account has become a no-no, but even without them the Admin can reset the password or disable the account.  The purpose of the tickets is to allow programming errors to be corrected, and every once in a while the error is password-related.  Take your choice.

Is there other information in the ticket that should be filtered?

/dps

[zm]

Having some sort of filter criteria would make sense to me.  For example, a list of arguments and variables to redact / filter.  

[Dave S]

On Monday, March 25, 2019 at 7:28:21 PM UTC-7, zm wrote:

Having some sort of filter criteria would make sense to me.  For example, a list of arguments and variables to redact / filter.  

But what are you concerned about, beyond the password issue?  What do you want to be able to filter?  What have you found in tickets you've looked at that raises flags?

/dps
 

[zm]

I feel like I am missing something, so forgive me if I sound sarcastic, it's not intended.

The framework should present the ability to add an instance level filter of arguments, variables, and function calls that should be redacted from the ticket.  

In my use case, I am concerned with the password, in other environments there may be concerns of other data being exposed in variables, arguments, or function calls.  For example, ABA routing / account numbers, cc numbers (hopefully these would all be going through another interface), user demographic information, etc.  

[Dave S]

On Tuesday, March 26, 2019 at 2:29:18 PM UTC-7, zm wrote:

I feel like I am missing something, so forgive me if I sound sarcastic, it's not intended.

And I hope you didn't think I was rejecting your idea; I felt it worthy of discussion, but I wanted you to be more specific about the concerns.
 

The framework should present the ability to add an instance level filter of arguments, variables, and function calls that should be redacted from the ticket.  

In my use case, I am concerned with the password, in other environments there may be concerns of other data being exposed in variables, arguments, or function calls.  For example, ABA routing / account numbers, cc numbers (hopefully these would all be going through another interface), user demographic information, etc.  

I can see that these would be serious items to leak.  The one counter-argument I can come up with is that occasionally (rarely, I hope), these items might be the actual issue ... perhaps a failure to have a proper error response for something with the wrong format, and the wrongness has to be seen to be understood.

There's also the complicating factor that anything in the request might be in the logs (one of the reasons to use POST data for sensitive items rather than GET vars),  or the database.  Since most of us would use Stripe or a similar service for payments, that part shouldn't be around, but for a larger system the developer could have limited access to the database, and that limit shouldn't be subverted by the ticket.

There's a lot to discuss here, I think.

/dps

[Anthony]

I don't think it's possible, but feel free to get a discussion going on the developers' list. I'm sure a pull request would be welcome once an approach is decided.

Anthony

[zm]

For what it's worth, I did post to the developer list, however it never appeared.  I assume it requires moderator approval or was rejected.

[Kevin Keller]

Can errror messags and tickets in production not be restricted to server log files and disabled to be displayed for users or at least the ticket itself made inaccessbile to normal users?

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups "web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Anthony]

On Thursday, April 4, 2019 at 10:47:10 AM UTC-4, Kevin Keller wrote:

Can errror messags and tickets in production not be restricted to server log files and disabled to be displayed for users or at least the ticket itself made inaccessbile to normal users?

Normal users can never see error tickets. The problem is writing sensitive information to the server storage.

Anthony