Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Errors leak potentially secret information #11

Open
mpareja opened this issue Sep 27, 2018 · 0 comments
Open

Errors leak potentially secret information #11

mpareja opened this issue Sep 27, 2018 · 0 comments
Labels
Bump Major Bump major version once released

Comments

@mpareja
Copy link

mpareja commented Sep 27, 2018

The errors thrown by this module include the request, options and response details.

These objects tend to carry sensitive information like Authorization headers and POST parameters which could contain passwords. Given that the functions calling request-promise should have all of the request context, I contend the potential security exposure is not worth the convenience of having this information on the error objects.

Consider, for instance, generic JSON logging of errors. It would be quite easy to leak passwords into log files. Unfortunately, this security threat is insidious in nature since it will only present itself under error circumstances. In other words, leaks are likely to go unnoticed until long after the software is running in production.
@analog-nico analog-nico added the Bump Major Bump major version once released label Feb 14, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bump Major Bump major version once released
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mpareja @analog-nico