#34965 closed Bug (needsinfo)
@sensitive_variables for coroutine func are not recursive
| Reported by: | Vageeshan Mankala | Owned by: | vageeshan |
|---|---|---|---|
| Component: | Core (Other) | Version: | 5.0 |
| Severity: | Normal | Keywords: | @sensitive_variables, @sensitive_post_parameters |
| Cc: | Jon Janzen, Carlton Gibson | Triage Stage: | Unreviewed |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
There is a difference in functionality of how @sensitive_variables/sensitive_post_parameters work for synchronous functions and asynchronous functions.
Sync funcs. - It recursively hides the variables from all frames in the stack until new sensitive variables are defined for a frame. Example, Wrappers to nested function calls, variables are hidden.
Async funcs. - It only hides the variables in the top most frame of the stack. Example, If there is view func with sensitive variables, and it also has a decorator, it hides only in the wrapper and not in the actual view.
I would expect both to work in similar way. I am also deeply invested in the idea so I willing to contribute a PR.
Change History (12)
comment:1 by , 2 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 2 years ago
| Cc: | added |
|---|
comment:3 by , 2 years ago
| Cc: | removed |
|---|---|
| Type: | Uncategorized → Bug |
comment:4 by , 2 years ago
| Patch needs improvement: | set |
|---|
comment:5 by , 2 years ago
| Cc: | added |
|---|---|
| Component: | Uncategorized → Core (Other) |
| Patch needs improvement: | unset |
comment:6 by , 2 years ago
| Resolution: | → needsinfo |
|---|---|
| Status: | assigned → closed |
Thanks for the report, I don't think you've explained the issue in enough detail to confirm a bug in Django. Please reopen the ticket if you can debug your issue and provide a sample project that reproduces the issue. Also, be aware that sync_to_async() and async_to_sync() are not compatible with @sensitive_variables (as documented).
follow-up: 8 comment:7 by , 2 years ago
Also, be aware that sync_to_async() and async_to_sync() are not compatible with @sensitive_variables (as documented).
We might want to update those docs, as recent versions (>= 3.7.0) will hide variables from the internals of asgiref: https://github.com/django/asgiref/pull/383
Changelog note for asgiref: https://github.com/django/asgiref/blob/main/CHANGELOG.txt#L25
comment:8 by , 2 years ago
Replying to Jon Janzen:
Also, be aware that sync_to_async() and async_to_sync() are not compatible with @sensitive_variables (as documented).
We might want to update those docs, as recent versions (>= 3.7.0) will hide variables from the internals of asgiref: https://github.com/django/asgiref/pull/383
Changelog note for asgiref: https://github.com/django/asgiref/blob/main/CHANGELOG.txt#L25
Django 5.0+ required asgiref 3.7+. Do you think it's time to remove this warning?
comment:9 by , 2 years ago
Django 5.0+ required asgiref 3.7+. Do you think it's time to remove this warning?
Yeah that's probably a good idea, I completely missed that you added this warning
follow-up: 12 comment:11 by , 2 years ago
Thanks for the ping. Yes, with the change to asgiref, it seems reasonable to drop the warnings. (I didn't check the internal Python frames again, but they're future related, and don't feature sensitive Django-related variables…)
comment:12 by , 2 years ago
Replying to Carlton Gibson:
Thanks for the ping. Yes, with the change to asgiref, it seems reasonable to drop the warnings. (I didn't check the internal Python frames again, but they're future related, and don't feature sensitive Django-related variables…)
Initial support for this feature was added in #31949