How can I hide sensitive information like passwords from python program output logs?










1















I wonder if there is a python module that I can use as a filter for stdout for preventing to display sensitive information like passwords or credentials?



I am looking for a generic solution as I have no control or prior knowledge of what is effectively printed (is output of user defined shell commands). Still, as a safety measure I would prefer to hide information that is likely to be sensistive.



Real life example: "set" prints environment variable and would clearly expose OS_PASSWORD if defined. If the filter I am describing would just replace the value with * it would make it safe to use.



I tried to search on https://pypi.org but I wasnt able to find anything, yet.



We can assume that python logging is used for output as that is the recommanded way to log anything in python.



Clarification: there is no way for me to know which environment variables may need to be sanitized, by default the tool does not need any credentials so I need a generic solution that has a default set of known to be sensitiv.



The same kind of problem is faced on any CI system that is public that that needs some credentials in order to function. A decent approach is to sanitize the output to avoid accidental leakage of information. For example an user may add a "set" that would expose some of these variables to the logs.



This is not about malicious usses that may easily find a way to bypass a filtering system if they really want, is more about preventing accidental leakage caused by code that you cannot control.



So unsafe code needs access to sensitive information and you cannot prevent it from displaying it. All I am looking for is for some "white-paste" solution....






python security logging







share|improve this question



















  • 2





    I'm a bit confused. If you, the developer, have "no .. prior knowledge of what is effectively printed" than how would a theoretically-existing module know? How would it know that super_sensitive_password is going to be logged?

    – DeepSpace
    Nov 13 '18 at 11:32












  • This sounds like a symptom of a deeper problem. If you're passing credentials on the command line, be aware that on most Linux systems, any user on the box, even unprivileged users, can easily see the complete command line of every command executed. Additionally, the root user (or any user with unlimited sudo privileges) can easily inspect the environment variables of any process. Before trying to mitigate a threat, you need to understand what the threat is that you're trying to defend against.

    – Daniel Pryden
    Nov 13 '18 at 12:47












  • You have two ways to solve this problem. Either (1) figure out a way to ensure that credentials are never put into logs, or (2) assume all logs contain credentials, and lock them down so only administrators are allowed to read them. Most likely, you will want to do both.

    – Daniel Pryden
    Nov 13 '18 at 12:51
















1















I wonder if there is a python module that I can use as a filter for stdout for preventing to display sensitive information like passwords or credentials?



I am looking for a generic solution as I have no control or prior knowledge of what is effectively printed (is output of user defined shell commands). Still, as a safety measure I would prefer to hide information that is likely to be sensistive.



Real life example: "set" prints environment variable and would clearly expose OS_PASSWORD if defined. If the filter I am describing would just replace the value with * it would make it safe to use.



I tried to search on https://pypi.org but I wasnt able to find anything, yet.



We can assume that python logging is used for output as that is the recommanded way to log anything in python.



Clarification: there is no way for me to know which environment variables may need to be sanitized, by default the tool does not need any credentials so I need a generic solution that has a default set of known to be sensitiv.



The same kind of problem is faced on any CI system that is public that that needs some credentials in order to function. A decent approach is to sanitize the output to avoid accidental leakage of information. For example an user may add a "set" that would expose some of these variables to the logs.



This is not about malicious usses that may easily find a way to bypass a filtering system if they really want, is more about preventing accidental leakage caused by code that you cannot control.



So unsafe code needs access to sensitive information and you cannot prevent it from displaying it. All I am looking for is for some "white-paste" solution....






python security logging







share|improve this question



















  • 2





    I'm a bit confused. If you, the developer, have "no .. prior knowledge of what is effectively printed" than how would a theoretically-existing module know? How would it know that super_sensitive_password is going to be logged?

    – DeepSpace
    Nov 13 '18 at 11:32












  • This sounds like a symptom of a deeper problem. If you're passing credentials on the command line, be aware that on most Linux systems, any user on the box, even unprivileged users, can easily see the complete command line of every command executed. Additionally, the root user (or any user with unlimited sudo privileges) can easily inspect the environment variables of any process. Before trying to mitigate a threat, you need to understand what the threat is that you're trying to defend against.

    – Daniel Pryden
    Nov 13 '18 at 12:47












  • You have two ways to solve this problem. Either (1) figure out a way to ensure that credentials are never put into logs, or (2) assume all logs contain credentials, and lock them down so only administrators are allowed to read them. Most likely, you will want to do both.

    – Daniel Pryden
    Nov 13 '18 at 12:51














1












1








1


0






I wonder if there is a python module that I can use as a filter for stdout for preventing to display sensitive information like passwords or credentials?



I am looking for a generic solution as I have no control or prior knowledge of what is effectively printed (is output of user defined shell commands). Still, as a safety measure I would prefer to hide information that is likely to be sensistive.



Real life example: "set" prints environment variable and would clearly expose OS_PASSWORD if defined. If the filter I am describing would just replace the value with * it would make it safe to use.



I tried to search on https://pypi.org but I wasnt able to find anything, yet.



We can assume that python logging is used for output as that is the recommanded way to log anything in python.



Clarification: there is no way for me to know which environment variables may need to be sanitized, by default the tool does not need any credentials so I need a generic solution that has a default set of known to be sensitiv.



The same kind of problem is faced on any CI system that is public that that needs some credentials in order to function. A decent approach is to sanitize the output to avoid accidental leakage of information. For example an user may add a "set" that would expose some of these variables to the logs.



This is not about malicious usses that may easily find a way to bypass a filtering system if they really want, is more about preventing accidental leakage caused by code that you cannot control.



So unsafe code needs access to sensitive information and you cannot prevent it from displaying it. All I am looking for is for some "white-paste" solution....






python security logging







share|improve this question
















I wonder if there is a python module that I can use as a filter for stdout for preventing to display sensitive information like passwords or credentials?



I am looking for a generic solution as I have no control or prior knowledge of what is effectively printed (is output of user defined shell commands). Still, as a safety measure I would prefer to hide information that is likely to be sensistive.



Real life example: "set" prints environment variable and would clearly expose OS_PASSWORD if defined. If the filter I am describing would just replace the value with * it would make it safe to use.



I tried to search on https://pypi.org but I wasnt able to find anything, yet.



We can assume that python logging is used for output as that is the recommanded way to log anything in python.



Clarification: there is no way for me to know which environment variables may need to be sanitized, by default the tool does not need any credentials so I need a generic solution that has a default set of known to be sensitiv.



The same kind of problem is faced on any CI system that is public that that needs some credentials in order to function. A decent approach is to sanitize the output to avoid accidental leakage of information. For example an user may add a "set" that would expose some of these variables to the logs.



This is not about malicious usses that may easily find a way to bypass a filtering system if they really want, is more about preventing accidental leakage caused by code that you cannot control.



So unsafe code needs access to sensitive information and you cannot prevent it from displaying it. All I am looking for is for some "white-paste" solution....






python security logging




python security logging






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 17 '18 at 16:07







sorin

















asked Nov 13 '18 at 11:28









sorinsorin

75k116370579




75k116370579







  • 2





    I'm a bit confused. If you, the developer, have "no .. prior knowledge of what is effectively printed" than how would a theoretically-existing module know? How would it know that super_sensitive_password is going to be logged?

    – DeepSpace
    Nov 13 '18 at 11:32












  • This sounds like a symptom of a deeper problem. If you're passing credentials on the command line, be aware that on most Linux systems, any user on the box, even unprivileged users, can easily see the complete command line of every command executed. Additionally, the root user (or any user with unlimited sudo privileges) can easily inspect the environment variables of any process. Before trying to mitigate a threat, you need to understand what the threat is that you're trying to defend against.

    – Daniel Pryden
    Nov 13 '18 at 12:47












  • You have two ways to solve this problem. Either (1) figure out a way to ensure that credentials are never put into logs, or (2) assume all logs contain credentials, and lock them down so only administrators are allowed to read them. Most likely, you will want to do both.

    – Daniel Pryden
    Nov 13 '18 at 12:51













  • 2





    I'm a bit confused. If you, the developer, have "no .. prior knowledge of what is effectively printed" than how would a theoretically-existing module know? How would it know that super_sensitive_password is going to be logged?

    – DeepSpace
    Nov 13 '18 at 11:32












  • This sounds like a symptom of a deeper problem. If you're passing credentials on the command line, be aware that on most Linux systems, any user on the box, even unprivileged users, can easily see the complete command line of every command executed. Additionally, the root user (or any user with unlimited sudo privileges) can easily inspect the environment variables of any process. Before trying to mitigate a threat, you need to understand what the threat is that you're trying to defend against.

    – Daniel Pryden
    Nov 13 '18 at 12:47












  • You have two ways to solve this problem. Either (1) figure out a way to ensure that credentials are never put into logs, or (2) assume all logs contain credentials, and lock them down so only administrators are allowed to read them. Most likely, you will want to do both.

    – Daniel Pryden
    Nov 13 '18 at 12:51








2




2





I'm a bit confused. If you, the developer, have "no .. prior knowledge of what is effectively printed" than how would a theoretically-existing module know? How would it know that super_sensitive_password is going to be logged?

– DeepSpace
Nov 13 '18 at 11:32






I'm a bit confused. If you, the developer, have "no .. prior knowledge of what is effectively printed" than how would a theoretically-existing module know? How would it know that super_sensitive_password is going to be logged?

– DeepSpace
Nov 13 '18 at 11:32














This sounds like a symptom of a deeper problem. If you're passing credentials on the command line, be aware that on most Linux systems, any user on the box, even unprivileged users, can easily see the complete command line of every command executed. Additionally, the root user (or any user with unlimited sudo privileges) can easily inspect the environment variables of any process. Before trying to mitigate a threat, you need to understand what the threat is that you're trying to defend against.

– Daniel Pryden
Nov 13 '18 at 12:47






This sounds like a symptom of a deeper problem. If you're passing credentials on the command line, be aware that on most Linux systems, any user on the box, even unprivileged users, can easily see the complete command line of every command executed. Additionally, the root user (or any user with unlimited sudo privileges) can easily inspect the environment variables of any process. Before trying to mitigate a threat, you need to understand what the threat is that you're trying to defend against.

– Daniel Pryden
Nov 13 '18 at 12:47














You have two ways to solve this problem. Either (1) figure out a way to ensure that credentials are never put into logs, or (2) assume all logs contain credentials, and lock them down so only administrators are allowed to read them. Most likely, you will want to do both.

– Daniel Pryden
Nov 13 '18 at 12:51






You have two ways to solve this problem. Either (1) figure out a way to ensure that credentials are never put into logs, or (2) assume all logs contain credentials, and lock them down so only administrators are allowed to read them. Most likely, you will want to do both.

– Daniel Pryden
Nov 13 '18 at 12:51













1 Answer
1






active

oldest

votes


















1














Try hashing it by using the sha-256 algorithm






share|improve this answer






















    Your Answer






    StackExchange.ifUsing("editor", function ()
    StackExchange.using("externalEditor", function ()
    StackExchange.using("snippets", function ()
    StackExchange.snippets.init();
    );
    );
    , "code-snippets");

    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "1"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53280058%2fhow-can-i-hide-sensitive-information-like-passwords-from-python-program-output-l%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    Try hashing it by using the sha-256 algorithm






    share|improve this answer



























      1














      Try hashing it by using the sha-256 algorithm






      share|improve this answer

























        1












        1








        1







        Try hashing it by using the sha-256 algorithm






        share|improve this answer













        Try hashing it by using the sha-256 algorithm







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 13 '18 at 14:00









        user8221260user8221260

        305




        305





























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53280058%2fhow-can-i-hide-sensitive-information-like-passwords-from-python-program-output-l%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Kleinkühnau

            Image
            Kleinkühnau Stadt Dessau-Roßlau 51.839444444444 12.184444444444 57 Koordinaten: 51° 50′ 22″  N , 12° 11′ 4″  O Höhe: 57 m Fläche: 9,93 km² Einwohner: 1649  (31. Dez. 2011) Bevölkerungsdichte: 166 Einwohner/km² Eingemeindung: 1. Oktober 1923 Eingemeindet nach: Dessau Postleitzahl: 06846 Vorwahl: 0340 Rathaus (Amtshaus Kühnau e. V.) Ev. Kirche Kleinkühnau Kleinkühnau ist ein Stadtteil von Dessau-Roßlau, einer kreisfreien Stadt im Bundesland Sachsen-Anhalt. Er liegt ungefähr vier Kilometer westlich des Stadtzentrums. Südlich der Kühnauer Straße befinden sich der Flugplatz Dessau, das Technikmuseum Hugo Junkers sowie der Standort der Polizeidirektion Sachsen-Anhalt Ost. Kleinkühnau hat 1649 Einwohner (Stand 31. Dezember 2011). Inhaltsverzeichnis 1 Geschichte 1.1 Bevölkerungsentwicklung 2 Siehe auch 3 Weblinks 4 E...
            Read more

            Makov (Slowakei)

            Image
            Makov Wappen Karte Makov Basisdaten Staat: Slowakei Kraj: Žilinský kraj Okres: Čadca Region: Kysuce Fläche: 46,052 km² Einwohner: 1.720 (31. Dez. 2017) Bevölkerungsdichte: 37 Einwohner je km² Höhe: 583  m n.m. Postleitzahl: 023 56 Telefonvorwahl: 0 41 Geographische Lage: 49° 22′  N , 18° 29′  O 49.366666666667 18.483333333333 583 Koordinaten: 49° 22′ 0″  N , 18° 29′ 0″  O Kfz-Kennzeichen: CA Kód obce: 509299 Struktur Gemeindeart: Gemeinde Verwaltung (Stand: November 2014) Bürgermeister: Martin Pavlík Adresse: Obecný úrad Makov 60 02356 Makov Webpräsenz: www.makov.sk Statistikinformation auf statistics.sk Makov (ungarisch Trencsénmakó – älter auch Makó , polnisch Maków ) ist eine Gemeinde in der Nordwestslowakei. Inhaltsverzeichnis 1 Geographie 1.1 Bevölkerung 2 Ge...
            Read more

            Deutsches Schauspielhaus

            Image
            Deutsches Schauspielhaus Hamburg Aktie über 1000 Mark der Deutsche Schauspielhaus AG vom 20. Juni 1899 Das Deutsche Schauspielhaus im Hamburger Stadtteil St. Georg ist mit 1200 Plätzen das größte Sprechtheater Deutschlands. Entstanden ist es durch eine private Initiative von Bürgern und der 1899 gegründeten „Aktiengesellschaft Deutsches Schauspielhaus“. Die Pläne stammen von dem Wiener Architekturbüro Fellner und Helmer, die das neobarocke Gebäude nach dem Vorbild des Wiener Volkstheaters gestalteten. Am 15. September 1900 wurde das Theater mit einer Aufführung der Iphigenie auf Tauris feierlich eröffnet. Der Name Deutsches Schauspielhaus knüpft an die Tradition des Hamburger Nationaltheaters an, das Mitte des 18. Jahrhunderts durch Hamburger Bürger betrieben wurde und an dem Gotthold Ephraim Lessing als Dramaturg tätig war. Das Schauspielhaus hat die Theatergeschichte der Stadt im 20. Jahrhundert entsc...
            Read more