Potential RabbitMQ password leak
Amoki opened this issue · comments
Hi and thanks for this awesome lib!
When generating a 500 with DEBUG = True
or when sending 500 by mail, Django generates a report with env variables.
If the variable name is settings.py
contains "PASSWORD" or "SECURE", Django replaces the values with *********.
The variable BROKER_URL
contains the password. (And maybe the same for Redis?)
It could be great to be able to define a variable SECURE_BROKER_URL
so Django hides the password.
If needed, I could write a PR.
Hi @Amoki,
Thanks for reaching out. Hm… I see you point, however, we only chose BROKER_URL
that's the setting CELERY
uses.
Which is probably one of the most commonly used packages in the Django world.
The first scenario you describe is highly discouraged, you should never ever run DEBUG=True
on a production application. The email part shouldn't really a problem, as crash reports are only sent to admins. I would assume that admins would have access to the credentials anyway.
Here's what I would advise you to do. It is very common to use URLs to encode secrets in Django, for email, caching, message queues and of course databases. To URL support has even been proposed as a new core feature in Django.
I would kindly ask you to reach out the Django security mailing list. I believe it's best if settings containing URL
are also replaced.
Best,
Joe