Skip to content

fix: sanitize parser sandbox error messages to prevent sensitive data leaks#1680

Open
ionfwsrijan wants to merge 4 commits into
utksh1:mainfrom
ionfwsrijan:fix/1626-parser-sandbox-sensitive-data-leak
Open

fix: sanitize parser sandbox error messages to prevent sensitive data leaks#1680
ionfwsrijan wants to merge 4 commits into
utksh1:mainfrom
ionfwsrijan:fix/1626-parser-sandbox-sensitive-data-leak

Conversation

@ionfwsrijan

Copy link
Copy Markdown
Contributor

Description

The ParserSandboxError exception includes captured stderr output (up to 2000 chars) in its message, which propagates through the call stack into task.error_message in the database and ultimately to the API response. Additionally, _BOOTSTRAP_TEMPLATE.format() uses user-influenced parser_path which can cause format-string injection.

Changes

  1. backend/secuscan/parser_sandbox.py:ParserSandboxError — Apply redact() to the stderr excerpt and reduce limit from 2000 to 500 chars. This ensures secrets in parser diagnostic output are sanitized before they reach the API layer.
  2. backend/secuscan/parser_sandbox.py:_BOOTSTRAP_TEMPLATE — Replace str.format() with str.replace() using sentinel markers (__MAX_INPUT_BYTES__, __PARSER_PATH_REPR__) to prevent format-string injection via user-influenced parser_path.
  3. backend/secuscan/executor.py:execute_task() — Apply redact() to str(e) before storing as error_message in the general exception handler.
  4. backend/secuscan/executor.py:_parse_results() — Apply redact() to the error message in the generic exception handler.
  5. backend/secuscan/parser_sandbox.py — Updated module docstring with security notes about stderr sensitivity.

Impact

  • Secrets in parser stderr output are redacted before reaching the API response
  • Format-string injection via plugin file paths is eliminated
  • Error messages stored in the database are sanitized
  • Diagnostic stderr is still captured for logging but sanitized before user-facing exposure

Files Changed

  • backend/secuscan/parser_sandbox.py — ParserSandboxError sanitization, template injection fix, docstring update
  • backend/secuscan/executor.py — redact() applied in exception handlers

Closes #1626

… leaks (utksh1#1626)

- Apply redact() to stderr excerpt in ParserSandboxError, limit to 500 chars
- Use str.replace() instead of str.format() in _BOOTSTRAP_TEMPLATE to
  prevent format-string injection via parser_path
- Apply redact() to error_message in executor exception handlers
- Update module docstring with security notes about stderr sensitivity
… -> _stderr_diagnostic, Template.safe_substitute)
@ionfwsrijan

Copy link
Copy Markdown
Contributor Author

@utksh1 Please review this. The failing check is pre-exisiting

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] Parser Sandbox Captures Stderr with Sensitive Data and Leaks It Via Exception Messages

1 participant