search

liefery-it-legacy / bugsnex

API client and logger for Bugsnag
MIT License
10 stars 2 forks source link

Sanatiztion of params #23

Closed bitboxer closed 7 years ago

bitboxer commented 7 years ago

Short question: the Bugsnex.Plug collects the conn.params and sends them to bugsnag. I don't see any form of cleaning in there. Does this mean that passwords are sent to bugsnag right now?

PragTob commented 7 years ago

Hi,

thanks for the issue report. I'm not quite sure :sweat_smile:

Yes there doesn't seem to be parameter sanitization, but at the same time I only see us fetching the session and query params but chances are plug parser already ran on the conn. (Hopefully).

So, looking at our bugsnags - yes it probably would. :sweat:

Hasn't been a problem for us yet as we don't deal with passwords and the like, but yeah there should definiely be a mechanism for this that by default scrubs out values for password/api_key and the like.

Thanks for noticing and sorry for the inconvenience.

bitboxer commented 7 years ago

Okay. Will try to implement this. Currently thinking of filtering these as default :

Any other that should be filtered?

PragTob commented 7 years ago

none that I can think of atm, thank you!

bitboxer commented 7 years ago

Thank you!

PragTob commented 7 years ago

If everything goes well, release incoming today :)

PragTob commented 7 years ago

Released in 0.3.0