Closed mateuszmandera closed 2 years ago
Thanks for the issue report! Currently very busy at my day job so it might be a bit before I can get to this. If you'd like to do so instead, please feel free; just post here that you are working on the issue.
@logston I've been fixing issues like this in our codebase with hacks. I'm happy to open a PR to resolve this, as it's probably a better place to fix sensitive data leaks.
Sure! If you'd like to take it, by all means. Let me know your decision @powellc.
Thanks a lot for the fix!
The
SCIMView.dispatch
method:converts any exception into a string and puts it in the HttpResponse. I think ideally there'd be a setting allowing library users to opt out of this behavior (or possibly even better - this behavior should be disabled by default and require explicitly enabling it) and use a generic message such as
Exception occurred while processing the SCIM request
. The reason being that while this is very useful for debugging, it can be dangerous in production - sensitive information can be revealed throughstr(e)
and the SCIM client may not always be a party so trusted that revealing information would be harmless.As a simple example if you deploy some bug to production where
some_dict[secret_string]
gets called causingKeyError
, thesecret_string
will be revealed to the SCIM client.