Merge pull request #56 from demisto/sensitive-logging

Add env for sensitive logging
demisto · Dec 21, 2020 · 240ad35 · 240ad35
2 parents d4ed7e4 + f1ad041
commit 240ad35
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,10 @@
 
 [1]: https://pypi.org/project/demisto-py/#history
 
+## 2.0.20
+* Log only headers in exceptions when `DEMISTO_EXCEPTION_HEADER_LOGGING` environment variable is set to true. This protects against possible sensitive data being logged in exceptions.
+
+
 ## 2.0.19
 * Support `import_layout` to upload the new layout version(layoutscontainer).
 * Fixed `import_layout` when uploading an old layout version.

diff --git a/demisto_client/demisto_api/rest.py b/demisto_client/demisto_api/rest.py
@@ -311,9 +311,14 @@ def __init__(self, status=None, reason=None, http_resp=None):
 
     def __str__(self):
         """Custom error messages for exception"""
+        sensitive_env = os.getenv("DEMISTO_EXCEPTION_HEADER_LOGGING")
+        if sensitive_env:
+            sensitive_logging = sensitive_env.lower() in ["true", "1", "yes"]
+        else:
+            sensitive_logging = False
         error_message = "({0})\n"\
                         "Reason: {1}\n".format(self.status, self.reason)
-        if self.headers:
+        if self.headers and sensitive_logging:
             error_message += "HTTP response headers: {0}\n".format(
                 self.headers)
 

diff --git a/gen-code.sh b/gen-code.sh
@@ -5,7 +5,7 @@
 # exit on errors
 set -e
 
-# IMPORTANT: Make sure when writing sed command to use: sed -i "${INPLACE[@]}" 
+# IMPORTANT: Make sure when writing sed command to use: sed -i "${INPLACE[@]}"
 # to be compatible with mac and linux
 # sed on mac requires '' as param and on linux doesn't
 if [[ "$(uname)" == Linux ]]; then
@@ -63,7 +63,14 @@ import demisto_client/g' demisto_client/demisto_api/api/default_api.py
 echo -e "\n    def generic_request(self, path, method, body=None, **kwargs):  # noqa: E501\n        return demisto_client.generic_request_func(self, path, method, body, **kwargs)" >> demisto_client/demisto_api/api/default_api.py
 # fix bug where binary data is decoded on py3
 sed -i "${INPLACE[@]}" -e 's#if six\.PY3:#if six.PY3 and r.getheader("Content-Type") != "application/octet-stream":#' demisto_client/demisto_api/rest.py
-
+# Disable sensitive logging by default
+sed -i "${INPLACE[@]}" -e 's/"""Custom error messages for exception"""/"""Custom error messages for exception"""\
+        sensitive_env = os.getenv("DEMISTO_EXCEPTION_HEADER_LOGGING")\
+        if sensitive_env:\
+            sensitive_logging = sensitive_env.lower() in ["true", "1", "yes"]\
+        else:\
+            sensitive_logging = False/' demisto_client/demisto_api/rest.py
+sed -i "${INPLACE[@]}" -e 's#        if self.headers:#        if self.headers and sensitive_logging:#' demisto_client/demisto_api/rest.py
 # Fix import layout command
 start=`grep "verify the required parameter 'type'" demisto_client/demisto_api/api/default_api.py -n | cut -f1 -d: | tail -1 | tr -d "\\n"`
 end=`grep ".kind. when calling .import_layout." demisto_client/demisto_api/api/default_api.py -n | cut -f1 -d: | tail -1 | tr -d "\\n"`