[monitoring_log_requests] v13 leaks passwords!

Question

[monitoring_log_requests] v13 leaks passwords!

dannyadair opened this issue 3 years ago · 2 comments

In v14 and v15 only three specific fields of "params" get logged

https://github.com/camptocamp/odoo-cloud-platform/blob/14.0/monitoring_log_requests/models/ir_http.py#L73
https://github.com/camptocamp/odoo-cloud-platform/blob/15.0/monitoring_log_requests/models/ir_http.py#L73

        info.update({
            'model': request.params.get('model'),
            'model_method': request.params.get('method'),
            'workflow_signal': request.params.get('signal'),
        })

but in v13 the entire "params" just gets logged as one big dictionary

https://github.com/camptocamp/odoo-cloud-platform/blob/13.0/monitoring_log_requests/models/ir_http.py#L96

    if hasattr(request, "params"):
        info["params"] = dict(request.params)

which will include "login" and "password" from the login page (or API call), in cleartext.

Answer 1 · 2022-02-28T07:55:14.000Z

Thanks for reporting. Origin seems to be #198.
@p-tombez could you have a look pls?

Answer 2 · 2023-06-18T12:02:09.000Z

There hasn't been any activity on this issue in the past 6 months, so it has been marked as stale and it will be closed automatically if no further activity occurs in the next 30 days.
If you want this issue to never become stale, please ask a PSC member to apply the "no stale" label.