From 7faebcea9e8c5c4aa7b171db73013e7ed8297a67 Mon Sep 17 00:00:00 2001 From: Andrew Shamah <42912128+amshamah419@users.noreply.github.com> Date: Mon, 21 Dec 2020 12:43:13 +0200 Subject: [PATCH 1/6] Add env for sensitive logging --- demisto_client/demisto_api/rest.py | 7 ++++++- gen-code.sh | 11 +++++++++-- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/demisto_client/demisto_api/rest.py b/demisto_client/demisto_api/rest.py index e935201..78ce51d 100644 --- a/demisto_client/demisto_api/rest.py +++ b/demisto_client/demisto_api/rest.py @@ -311,9 +311,14 @@ def __init__(self, status=None, reason=None, http_resp=None): def __str__(self): """Custom error messages for exception""" + sensitive_env = os.getenv("DEMISTO_SENSITIVE_LOGGING") + if sensitive_env: + sensitive_logging = sensitive_env.lower() not in ["false", "0", "no"] + else: + sensitive_logging = True error_message = "({0})\n"\ "Reason: {1}\n".format(self.status, self.reason) - if self.headers: + if self.headers and sensitive_logging: error_message += "HTTP response headers: {0}\n".format( self.headers) diff --git a/gen-code.sh b/gen-code.sh index c1dda1a..3edda51 100755 --- a/gen-code.sh +++ b/gen-code.sh @@ -5,7 +5,7 @@ # exit on errors set -e -# IMPORTANT: Make sure when writing sed command to use: sed -i "${INPLACE[@]}" +# IMPORTANT: Make sure when writing sed command to use: sed -i "${INPLACE[@]}" # to be compatible with mac and linux # sed on mac requires '' as param and on linux doesn't if [[ "$(uname)" == Linux ]]; then @@ -63,7 +63,14 @@ import demisto_client/g' demisto_client/demisto_api/api/default_api.py echo -e "\n def generic_request(self, path, method, body=None, **kwargs): # noqa: E501\n return demisto_client.generic_request_func(self, path, method, body, **kwargs)" >> demisto_client/demisto_api/api/default_api.py # fix bug where binary data is decoded on py3 sed -i "${INPLACE[@]}" -e 's#if six\.PY3:#if six.PY3 and r.getheader("Content-Type") != "application/octet-stream":#' demisto_client/demisto_api/rest.py - +# Disable sensitive logging by default +sed -i "${INPLACE[@]}" -e 's/"""Custom error messages for exception"""/"""Custom error messages for exception"""\ + sensitive_env = os.getenv("DEMISTO_SENSITIVE_LOGGING")\ + if sensitive_env:\ + sensitive_logging = sensitive_env.lower() not in ["false", "0", "no"]\ + else:\ + sensitive_logging = True/' demisto_client/demisto_api/rest.py +sed -i "${INPLACE[@]}" -e 's# if self.headers:# if self.headers and sensitive_logging:#' demisto_client/demisto_api/rest.py # Fix import layout command start=`grep "verify the required parameter 'type'" demisto_client/demisto_api/api/default_api.py -n | cut -f1 -d: | tail -1 | tr -d "\\n"` end=`grep ".kind. when calling .import_layout." demisto_client/demisto_api/api/default_api.py -n | cut -f1 -d: | tail -1 | tr -d "\\n"` From 6fa14664a141621a621f987a4bf656887a659996 Mon Sep 17 00:00:00 2001 From: Andrew Shamah <42912128+amshamah419@users.noreply.github.com> Date: Mon, 21 Dec 2020 12:47:48 +0200 Subject: [PATCH 2/6] Add changelog entry --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8f8d168..48f01a9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ [1]: https://pypi.org/project/demisto-py/#history +## 2.0.20 +* Prevent headers from being logged when `DEMISTO_SENSITIVE_LOGGING` environment variable is set to false. + + ## 2.0.19 * Support `import_layout` to upload the new layout version(layoutscontainer). * Fixed `import_layout` when uploading an old layout version. From 36158471ceb63a02e2b7ce7185bfb1c15651303d Mon Sep 17 00:00:00 2001 From: Andrew Shamah <42912128+amshamah419@users.noreply.github.com> Date: Mon, 21 Dec 2020 13:36:18 +0200 Subject: [PATCH 3/6] Change to DEMISTO_EXCEPTION_HEADER_LOGGING reverse logic to be more assertive --- demisto_client/demisto_api/rest.py | 6 +++--- gen-code.sh | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/demisto_client/demisto_api/rest.py b/demisto_client/demisto_api/rest.py index 78ce51d..f07dcf7 100644 --- a/demisto_client/demisto_api/rest.py +++ b/demisto_client/demisto_api/rest.py @@ -311,11 +311,11 @@ def __init__(self, status=None, reason=None, http_resp=None): def __str__(self): """Custom error messages for exception""" - sensitive_env = os.getenv("DEMISTO_SENSITIVE_LOGGING") + sensitive_env = os.getenv("DEMISTO_EXCEPTION_HEADER_LOGGING") if sensitive_env: - sensitive_logging = sensitive_env.lower() not in ["false", "0", "no"] + sensitive_logging = sensitive_env.lower() not in ["true", "1", "yes"] else: - sensitive_logging = True + sensitive_logging = False error_message = "({0})\n"\ "Reason: {1}\n".format(self.status, self.reason) if self.headers and sensitive_logging: diff --git a/gen-code.sh b/gen-code.sh index 3edda51..66e8c45 100755 --- a/gen-code.sh +++ b/gen-code.sh @@ -65,11 +65,11 @@ echo -e "\n def generic_request(self, path, method, body=None, **kwargs): # sed -i "${INPLACE[@]}" -e 's#if six\.PY3:#if six.PY3 and r.getheader("Content-Type") != "application/octet-stream":#' demisto_client/demisto_api/rest.py # Disable sensitive logging by default sed -i "${INPLACE[@]}" -e 's/"""Custom error messages for exception"""/"""Custom error messages for exception"""\ - sensitive_env = os.getenv("DEMISTO_SENSITIVE_LOGGING")\ + sensitive_env = os.getenv("DEMISTO_EXCEPTION_HEADER_LOGGING")\ if sensitive_env:\ - sensitive_logging = sensitive_env.lower() not in ["false", "0", "no"]\ + sensitive_logging = sensitive_env.lower() not in ["true", "1", "yes"]\ else:\ - sensitive_logging = True/' demisto_client/demisto_api/rest.py + sensitive_logging = False/' demisto_client/demisto_api/rest.py sed -i "${INPLACE[@]}" -e 's# if self.headers:# if self.headers and sensitive_logging:#' demisto_client/demisto_api/rest.py # Fix import layout command start=`grep "verify the required parameter 'type'" demisto_client/demisto_api/api/default_api.py -n | cut -f1 -d: | tail -1 | tr -d "\\n"` From c62bfaeca98c1a0bd019b1e471fda8262115c8c2 Mon Sep 17 00:00:00 2001 From: Andrew Shamah <42912128+amshamah419@users.noreply.github.com> Date: Mon, 21 Dec 2020 13:37:39 +0200 Subject: [PATCH 4/6] update changes in CHANGELOG.md --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 48f01a9..315d5d2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,7 +5,7 @@ [1]: https://pypi.org/project/demisto-py/#history ## 2.0.20 -* Prevent headers from being logged when `DEMISTO_SENSITIVE_LOGGING` environment variable is set to false. +* Prevent headers from being logged when `DEMISTO_EXCEPTION_HEADER_LOGGING` environment variable is set to false. ## 2.0.19 From 9e36fc271f68423b10dea95653f968bc8233d076 Mon Sep 17 00:00:00 2001 From: Andrew Shamah <42912128+amshamah419@users.noreply.github.com> Date: Mon, 21 Dec 2020 13:38:50 +0200 Subject: [PATCH 5/6] del not --- demisto_client/demisto_api/rest.py | 2 +- gen-code.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/demisto_client/demisto_api/rest.py b/demisto_client/demisto_api/rest.py index f07dcf7..8bd2a4f 100644 --- a/demisto_client/demisto_api/rest.py +++ b/demisto_client/demisto_api/rest.py @@ -313,7 +313,7 @@ def __str__(self): """Custom error messages for exception""" sensitive_env = os.getenv("DEMISTO_EXCEPTION_HEADER_LOGGING") if sensitive_env: - sensitive_logging = sensitive_env.lower() not in ["true", "1", "yes"] + sensitive_logging = sensitive_env.lower() in ["true", "1", "yes"] else: sensitive_logging = False error_message = "({0})\n"\ diff --git a/gen-code.sh b/gen-code.sh index 66e8c45..a32d674 100755 --- a/gen-code.sh +++ b/gen-code.sh @@ -67,7 +67,7 @@ sed -i "${INPLACE[@]}" -e 's#if six\.PY3:#if six.PY3 and r.getheader("Content-Ty sed -i "${INPLACE[@]}" -e 's/"""Custom error messages for exception"""/"""Custom error messages for exception"""\ sensitive_env = os.getenv("DEMISTO_EXCEPTION_HEADER_LOGGING")\ if sensitive_env:\ - sensitive_logging = sensitive_env.lower() not in ["true", "1", "yes"]\ + sensitive_logging = sensitive_env.lower() in ["true", "1", "yes"]\ else:\ sensitive_logging = False/' demisto_client/demisto_api/rest.py sed -i "${INPLACE[@]}" -e 's# if self.headers:# if self.headers and sensitive_logging:#' demisto_client/demisto_api/rest.py From f1ad041702d5e20f028abf71a589847a23172cac Mon Sep 17 00:00:00 2001 From: Andrew Shamah <42912128+amshamah419@users.noreply.github.com> Date: Mon, 21 Dec 2020 14:18:57 +0200 Subject: [PATCH 6/6] Update CHANGELOG.md Co-authored-by: Guy Lichtman <1395797+glicht@users.noreply.github.com> --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 315d5d2..b79e839 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,7 +5,7 @@ [1]: https://pypi.org/project/demisto-py/#history ## 2.0.20 -* Prevent headers from being logged when `DEMISTO_EXCEPTION_HEADER_LOGGING` environment variable is set to false. +* Log only headers in exceptions when `DEMISTO_EXCEPTION_HEADER_LOGGING` environment variable is set to true. This protects against possible sensitive data being logged in exceptions. ## 2.0.19