fix: sanitize parser sandbox error messages to prevent sensitive data leaks#1680
Open
ionfwsrijan wants to merge 4 commits into
Open
fix: sanitize parser sandbox error messages to prevent sensitive data leaks#1680ionfwsrijan wants to merge 4 commits into
ionfwsrijan wants to merge 4 commits into
Conversation
… leaks (utksh1#1626) - Apply redact() to stderr excerpt in ParserSandboxError, limit to 500 chars - Use str.replace() instead of str.format() in _BOOTSTRAP_TEMPLATE to prevent format-string injection via parser_path - Apply redact() to error_message in executor exception handlers - Update module docstring with security notes about stderr sensitivity
… -> _stderr_diagnostic, Template.safe_substitute)
Contributor
Author
|
@utksh1 Please review this. The failing check is pre-exisiting |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The
ParserSandboxErrorexception includes captured stderr output (up to 2000 chars) in its message, which propagates through the call stack intotask.error_messagein the database and ultimately to the API response. Additionally,_BOOTSTRAP_TEMPLATE.format()uses user-influencedparser_pathwhich can cause format-string injection.Changes
backend/secuscan/parser_sandbox.py:ParserSandboxError— Applyredact()to the stderr excerpt and reduce limit from 2000 to 500 chars. This ensures secrets in parser diagnostic output are sanitized before they reach the API layer.backend/secuscan/parser_sandbox.py:_BOOTSTRAP_TEMPLATE— Replacestr.format()withstr.replace()using sentinel markers (__MAX_INPUT_BYTES__,__PARSER_PATH_REPR__) to prevent format-string injection via user-influencedparser_path.backend/secuscan/executor.py:execute_task()— Applyredact()tostr(e)before storing aserror_messagein the general exception handler.backend/secuscan/executor.py:_parse_results()— Applyredact()to the error message in the generic exception handler.backend/secuscan/parser_sandbox.py— Updated module docstring with security notes about stderr sensitivity.Impact
Files Changed
backend/secuscan/parser_sandbox.py— ParserSandboxError sanitization, template injection fix, docstring updatebackend/secuscan/executor.py— redact() applied in exception handlersCloses #1626