Closed camsaul closed 3 years ago
exceptions-response https://github.com/dakrone/clj-http/blob/3.x/src/clj_http/client.clj#L232-L241 will return the request (req) in any exceptional responses, which can potentially leak sensitive info such as HTTP basic auth headers or session cookies. Example:
exceptions-response
req
(#'clj-http.client/exceptions-response {:headers {"user" "cam", "password" "SECRET"}} {:status 404}) => Unhandled clojure.lang.ExceptionInfo clj-http: status 404 {:object {:status 404, :type :clj-http.client/unexceptional-status}, :environment {req {:headers {"user" "cam", "password" "SECRET"}}, p__45298 {:status 404}, map__45299 {:status 404}, resp {:status 404}, status 404, data {:status 404, :type :clj-http.client/unexceptional-status}}}
This is caused by use of Slingshot throw+ -- the macro automatically includes any local bindings visible to it via &env under the :environment key:
throw+
&env
:environment
(let [x 1] (slingshot.slingshot/throw+ "OOPS")) => Unhandled clojure.lang.ExceptionInfo throw+: "OOPS" {:object "OOPS", :environment {x 1}}
I'm not sure if this is intentional or not. If this is by design, please feel free to close this issue. If not, I am happy to submit a PR to address it
Sorry, it looks like this was fixed upstream in Slingshot: https://github.com/scgilardi/slingshot/issues/36
exceptions-response
https://github.com/dakrone/clj-http/blob/3.x/src/clj_http/client.clj#L232-L241 will return the request (req
) in any exceptional responses, which can potentially leak sensitive info such as HTTP basic auth headers or session cookies. Example:This is caused by use of Slingshot
throw+
-- the macro automatically includes any local bindings visible to it via&env
under the:environment
key:I'm not sure if this is intentional or not. If this is by design, please feel free to close this issue. If not, I am happy to submit a PR to address it