Open slmtpz opened 2 years ago
Hi,
Thanks for the report, however I have difficulties to understand a concrete example and possible dev mistakes which can lead to info leaking. Based on the code highlights, it seems json
is not used when calling requests
library, no matter the content of kwargs
.
Walkthrough
When intercepting a
request()
,request-oauthlib
doesn't take payload data passed withjson
parameter into account. This leads tokwargs
havingjson
parameter value. Notice that the same kwargs are passed torefresh_token()
call. The data then is included in the body data to be sent to the identity provider's refresh token endpoint.Security Problem
As of
requests
2.4.2
POST data can be sent withjson
parameter. The data might include private information as it is intended for the POST body. The data then is further exposed to an identity provider when refreshing expired tokens ifauto_refresh
functionality is enabled while instantiating anOAuth2Session
instance.For the users
You can safely use
data
parameter to pass your POST data instead ofjson
.