Bug 214639

Summary: [ews-app] Pass api key in more secure manner
Product: WebKit Reporter: Aakash Jain <aakash_jain>
Component: Tools / TestsAssignee: Aakash Jain <aakash_jain>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, jbedard, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

Aakash Jain
Reported 2020-07-22 06:08:43 PDT
Pass api key in more secure manner in EWS django app. Instead of appending the api key in the url, it should be passed as a requests.get parameter. One benefit of that is, if the url is logged, api key wouldn't appear in the logs. Similar to https://trac.webkit.org/changeset/258008/webkit
Attachments
Patch (5.14 KB, patch)
2020-07-22 08:44 PDT, Aakash Jain 		no flags
DetailsFormatted DiffDiff
Patch (5.13 KB, patch)
2020-07-22 10:07 PDT, Aakash Jain 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Aakash Jain
Comment 1 2020-07-22 08:44:57 PDT
Created attachment 404925 [details] Patch
Jonathan Bedard
Comment 2 2020-07-22 09:24:18 PDT
Comment on attachment 404925 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=404925&action=review > Tools/BuildSlaveSupport/ews-app/ews/common/bugzilla.py:98 > + # Catching all exceptions here to safeguard api key. You say you're catching all exceptions to safeguard the API key, but then you log the exception anyways? Is that deliberate? I suppose you're guaranteeing that the exception won't end up in the response, but the API could still end up in the log, no?
Aakash Jain
Comment 3 2020-07-22 09:47:46 PDT
Comment on attachment 404925 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=404925&action=review >> Tools/BuildSlaveSupport/ews-app/ews/common/bugzilla.py:98 >> + # Catching all exceptions here to safeguard api key. > > You say you're catching all exceptions to safeguard the API key, but then you log the exception anyways? Is that deliberate? I suppose you're guaranteeing that the exception won't end up in the response, but the API could still end up in the log, no? Oops, I printed the exception here for debugging. Thanks for catching that.
Aakash Jain
Comment 4 2020-07-22 10:07:57 PDT
Created attachment 404935 [details] Patch
EWS
Comment 5 2020-07-22 11:16:44 PDT
Committed r264711: <https://trac.webkit.org/changeset/264711> All reviewed patches have been landed. Closing bug and clearing flags on attachment 404935 [details].
Radar WebKit Bug Importer
Comment 6 2020-07-22 11:17:15 PDT
<rdar://problem/65945882>
Aakash Jain
Comment 7 2020-07-22 11:40:02 PDT
Deployed the change on the server.
Note You need to log in before you can comment on or make changes to this bug.