Skip to content

Add data sanitization to RequestPanel #2103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

Add data sanitization to RequestPanel #2103

wants to merge 3 commits into from

Conversation

dr-rompecabezas
Copy link
Member

@dr-rompecabezas dr-rompecabezas commented Mar 12, 2025
edited
Loading

Description

This implementation:

  1. Makes sanitization of sensitive values enabled by default but configurable
  2. Uses a similar approach to--and the same default key patterns as--Django's sanitization
  3. Allows customizing the patterns used to identify sensitive data
  • Added SANITIZE_REQUEST_DATA setting to control sanitization of request data.
  • Added REQUEST_SANITIZATION_PATTERNS setting to define key patterns to sanitize the respective value.
  • Implemented sanitize_value function to sanitize sensitive data based on key regex patterns.
  • Updated get_sorted_request_variable to support sanitization.
  • Added tests for sanitization of GET and POST parameters, cookies, and session data.
  • Updated documentation to include new settings.

Fixes #2074

Checklist:

  • I have added the relevant tests for this change.
  • I have added an item to the Pending section of docs/changes.rst.

@dr-rompecabezas
feat: Add data sanitization to RequestPanel
89f9b42 
- Added `SANITIZE_REQUEST_DATA` setting to control sanitization of
  request data.
- Implemented `sanitize_value` function to sanitize sensitive data based
  on key patterns.
- Updated `get_sorted_request_variable` to support sanitization.
- Added tests for sanitization of GET, POST, cookies, and session data.
- Updated documentation to include new settings.

django-commons#2074
@dr-rompecabezas
Add test for sensitive cookie data sanitization
fbb5007 
Added test for completeness, as we already have tests for GET and POST
parameter data sanitization, but were missing a test for cookie data.
matthiask
matthiask reviewed Mar 12, 2025
View reviewed changes
Copy link
Member

@matthiask matthiask left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a great start! Thank you.

I'd like you to investigate whether it's possible to use the SafeExceptionReporterFilter instead of duplicating the filtering and cleaning logic ourselves, especially the list of patterns. The list of patterns isn't updated often in Django but it does happen from time to time, and if we can just reuse the functionality in there we immediately profit as well without doing anything.

https://github.com/django/django/blob/955b7c6ba105b328f387a9d63540dbabd4a05828/django/views/debug.py#L108

@dr-rompecabezas
Refactor session data sanitization in RequestPanel
2f1d42c 
- Moved import of `dt_settings` to the top of the file.
- Simplified session data sanitization logic by avoiding duplicate code.
@dr-rompecabezas dr-rompecabezas removed the request for review from tim-schilling March 12, 2025 15:49
@dr-rompecabezas
Copy link
Member Author

investigate whether it's possible to use the SafeExceptionReporterFilter instead of duplicating the filtering and cleaning logic ourselves, especially the list of patterns

@matthiask will do. Thanks.

@dr-rompecabezas
Copy link
Member Author

I will be opening a new PR soon with a new approach.

@dr-rompecabezas dr-rompecabezas deleted the sanitize-request-data branch March 18, 2025 04:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matthiask matthiask matthiask left review comments

@tim-schilling tim-schilling tim-schilling left review comments

Assignees
No one assigned
Labels
Djangonaut Space 🚀
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Sanitize RequestPanel data behind a setting
3 participants
@dr-rompecabezas @matthiask @tim-schilling