session: Scrape API key out of requests exceptions

crobinso · crobinso · commit f4e980577d05 · 2020-11-12T19:19:12.000-05:00
Via the params dictionary this can leak into requests errors, depending on the way it fails. Perform a straight string replacement on the exception string and re-raise the exception https://bugzilla.redhat.com/show_bug.cgi?id=1896791 Signed-off-by: Cole Robinson <crobinso@redhat.com>
diff --git a/bugzilla/_session.py b/bugzilla/_session.py
@@ -4,6 +4,8 @@
 from logging import getLogger
 
 import os
+import sys
+
 import requests
 
 from ._compatimports import urlparse
@@ -97,6 +99,7 @@ def request(self, *args, **kwargs):
         timeout = self._get_timeout()
         if "timeout" not in kwargs:
             kwargs["timeout"] = timeout
+
         response = self._session.request(*args, **kwargs)
 
         if self._is_xmlrpc:
@@ -106,5 +109,11 @@ def request(self, *args, **kwargs):
             # Set response cookies
             self.set_response_cookies(response)
 
-        response.raise_for_status()
+        try:
+            response.raise_for_status()
+        except Exception as e:
+            # Scrape the api key out of the returned exception string
+            message = str(e).replace(self._api_key or "", "")
+            raise type(e)(message).with_traceback(sys.exc_info()[2])
+
         return response
diff --git a/tests/test_ro_functional.py b/tests/test_ro_functional.py
@@ -8,6 +8,7 @@
 """
 Unit tests that do readonly functional tests against real bugzilla instances.
 """
+import pytest
 
 import bugzilla
 import tests
@@ -63,6 +64,22 @@ def test_rest_xmlrpc_detection():
     assert bz.is_xmlrpc()
 
 
+def test_apikey_error_scraping():
+    # Ensure the API key does not leak into any requests exceptions
+    fakekey = "FOOBARMYKEY"
+    with pytest.raises(Exception) as e:
+        _open_bz("https://httpstat.us/502&foo",
+                force_xmlrpc=True, api_key=fakekey)
+    assert "400 Client Error" in str(e.value)
+    assert fakekey not in str(e.value)
+
+    with pytest.raises(Exception) as e:
+        _open_bz("https://httpstat.us/502&foo",
+                force_rest=True, api_key=fakekey)
+    assert "400 Client Error" in str(e.value)
+    assert fakekey not in str(e.value)
+
+
 ###################
 # mozilla testing #
 ###################
