search

dakrone / clj-http

An idiomatic clojure http client wrapping the apache client. Officially supported version.
http://clojars.org/clj-http
MIT License
1.78k stars 408 forks source link

Exception responses leak requests #594

Closed camsaul closed 3 years ago

camsaul commented 3 years ago

exceptions-response https://github.com/dakrone/clj-http/blob/3.x/src/clj_http/client.clj#L232-L241 will return the request (req) in any exceptional responses, which can potentially leak sensitive info such as HTTP basic auth headers or session cookies. Example:

(#'clj-http.client/exceptions-response
 {:headers {"user" "cam", "password" "SECRET"}}
 {:status 404})
=>
Unhandled clojure.lang.ExceptionInfo
clj-http: status 404
{:object      {:status 404, :type :clj-http.client/unexceptional-status},
 :environment {req        {:headers {"user" "cam", "password" "SECRET"}},
               p__45298   {:status 404},
               map__45299 {:status 404},
               resp       {:status 404},
               status     404,
               data       {:status 404, :type :clj-http.client/unexceptional-status}}}

This is caused by use of Slingshot throw+ -- the macro automatically includes any local bindings visible to it via &env under the :environment key:

(let [x 1]
  (slingshot.slingshot/throw+ "OOPS"))
=>
Unhandled clojure.lang.ExceptionInfo
throw+: "OOPS"
{:object "OOPS", :environment {x 1}}

I'm not sure if this is intentional or not. If this is by design, please feel free to close this issue. If not, I am happy to submit a PR to address it

camsaul commented 3 years ago

Sorry, it looks like this was fixed upstream in Slingshot: https://github.com/scgilardi/slingshot/issues/36