Possible disclosure of confidential information [LOW]

sodadata / soda-sql

Soda SQL and Soda Spark have been deprecated and replaced by Soda Core. docs.soda.io/soda-core/overview.html

https://docs.soda.io/

Apache License 2.0

61 stars 17 forks source link

Possible disclosure of confidential information [LOW] #187

Closed jmarien closed 2 years ago

jmarien commented 2 years ago

When failing to logon to the Soda cloud (server) the entire JSON of the error response is logged. In soda_server_client/soda_server_client.py line 222:

if login_response.status_code != 200:
 raise AssertionError(f'< {login_response.status_code} Login failed:
{login_response.content}')

Given that this the result of a failed logon, there is a chance that the response may contain the password or API key that was used in the logon attempt.

jmarien commented 2 years ago

This is mitigated server-side and confirmed effective.