odoo-cloud-platform icon indicating copy to clipboard operation
odoo-cloud-platform copied to clipboard

Published 20 hours ago verified publisher icon camptocamp

[monitoring_log_requests] v13 leaks passwords!

Open dannyadair opened this issue 3 years ago • 1 comments

In v14 and v15 only three specific fields of "params" get logged

https://github.com/camptocamp/odoo-cloud-platform/blob/14.0/monitoring_log_requests/models/ir_http.py#L73 https://github.com/camptocamp/odoo-cloud-platform/blob/15.0/monitoring_log_requests/models/ir_http.py#L73

        info.update({
            'model': request.params.get('model'),
            'model_method': request.params.get('method'),
            'workflow_signal': request.params.get('signal'),
        })

but in v13 the entire "params" just gets logged as one big dictionary

https://github.com/camptocamp/odoo-cloud-platform/blob/13.0/monitoring_log_requests/models/ir_http.py#L96

    if hasattr(request, "params"):
        info["params"] = dict(request.params)

which will include "login" and "password" from the login page (or API call), in cleartext.

dannyadair avatar Feb 28 '22 02:02 dannyadair

Thanks for reporting. Origin seems to be https://github.com/camptocamp/odoo-cloud-platform/pull/198. @p-tombez could you have a look pls?

simahawk avatar Feb 28 '22 07:02 simahawk

There hasn't been any activity on this issue in the past 6 months, so it has been marked as stale and it will be closed automatically if no further activity occurs in the next 30 days. If you want this issue to never become stale, please ask a PSC member to apply the "no stale" label.

github-actions[bot] avatar Jun 18 '23 12:06 github-actions[bot]