Open sbeignez opened 9 years ago
I feel like this is a bug in django.
https://github.com/django/django/blob/1.10.1/django/views/debug.py#L40
The algorithm checks the variable name for sensitivity, then descends into nested dictionaries, checking for sensitivity at each level.
If any of the levels are deemed non-sensitive, the path ends there, and everything is returned verbatim.
In my mind, it should completely traverse nested dictionaries, stopping when it censors something, instead of when it doesn't, for instance:
MIXED_SENSITIVITY_DATA = {
'secret_sensitive_data': 'foo',
'mixed_sensitivity_nested': {
'secret_sensitive_data': {
'everything_in_here': 'will_be_censored',
},
'non_secret_data': 'baz',
}
}
would become
MIXED_SENSITIVITY_DATA = {
'secret_sensitive_data': '**********',
'mixed_sensitivity_nested': {
'secret_sensitive_data': '**********',
'non_secret_data': 'baz',
}
}
as opposed to what it becomes now:
It's possible to work around this without resorting to environment variables or similar, by adding the following somewhere in the project that gets run. I put it in settings.py
.
from django.views import debug
import re
debug.HIDDEN_SETTINGS = re.compile(
debug.HIDDEN_SETTINGS.pattern + '|PAYMENT_VARIANTS',
flags=re.IGNORECASE,
)
But this feels VERY subversive.
The payment providers' Secret keys appears in CLEAR in the the debug console.
PAYMENT_VARIANTS {'stripe': ('payments.stripe.StripeProvider', {'public_key': 'pk_test_i7RTWcR0w8aK3KZB2yEfeGVi', 'secret_key': 'sk_test_k4aH2sWIisUK0TqtPwdUmJ6o'})}
For security, hide the secret keys in the debug console.
By renaming the parameter:
PAYMENT_VARIANTS
toSECRET_PAYMENT_VARIANTS
for example. (can use any of these keywords:API TOKEN KEY SECRET PASS SIGNATURE
)And the keys will appears like that:
SECRET_KEY u'********************'
See conversation about this issued here: http://stackoverflow.com/questions/29351830/django-payments-how-to-keep-the-secret-key-secret
Thanks!