aio-libs
Proxy credentials are logged as clear text
🐞 Describe the bug
aiohttp logs proxy username/password as clear text when hitting a 503:
aiohttp.client_exceptions.ClientHttpProxyError: 503, message=‘Service Unavailable’, url=URL(‘http://**proxyuser:proxypass**@myproxy.example.com:8080’)
💡 To Reproduce
- Create an aiohttp session with a proxy that has a username and password
- Hit an error such as a 503
- Observe that the username and password are logged in clear text
💡 Expected behavior
aiohttp obscures the password
📋 Logs/tracebacks
File “/usr/lib64/python3.6/site-packages/aiohttp/client.py”, line 1012, in aenter
self._resp = await self._coro
File “/usr/lib64/python3.6/site-packages/aiohttp/client.py”, line 483, in _request
timeout=real_timeout
File “/usr/lib64/python3.6/site-packages/aiohttp/connector.py”, line 523, in connect
proto = await self._create_connection(req, traces, timeout)
File “/usr/lib64/python3.6/site-packages/aiohttp/connector.py”, line 856, in _create_connection
req, traces, timeout)
File “/usr/lib64/python3.6/site-packages/aiohttp/connector.py”, line 1083, in _create_proxy_connection
headers=resp.headers)
aiohttp.client_exceptions.ClientHttpProxyError: 503, message=‘Service Unavailable’, url=URL(‘http://**proxyuser:proxypass**@myproxy.example.com:8080’)
📋 Your version of the Python
3.6
📋 Your version of the aiohttp/yarl/multidict distributions
aiohttp 3.7.3
📋 Additional context
Seems like they are basic auth credentials, which seems a little questionable to be using them in the first place (as they are sent over the network in plain text).
But, it's probably easy enough to ensure the credentials section is redacted from the URL for all exceptions here: https://github.com/aio-libs/aiohttp/blob/a6c7f154ddee11e6e23c66c830b5b0b668f81c8e/aiohttp/client_exceptions.py#L77
Maybe as simple as changing the url to:
url.with_password('*hidden*')