Skip to content

fix: sanitize parser sandbox error messages to prevent sensitive data leaks#1680

Open
ionfwsrijan wants to merge 1 commit into
utksh1:mainfrom
ionfwsrijan:fix/1626-parser-sandbox-sensitive-data-leak
Open

fix: sanitize parser sandbox error messages to prevent sensitive data leaks#1680
ionfwsrijan wants to merge 1 commit into
utksh1:mainfrom
ionfwsrijan:fix/1626-parser-sandbox-sensitive-data-leak

Conversation

@ionfwsrijan

Copy link
Copy Markdown
Contributor

Description

The ParserSandboxError exception includes captured stderr output (up to 2000 chars) in its message, which propagates through the call stack into task.error_message in the database and ultimately to the API response. Additionally, _BOOTSTRAP_TEMPLATE.format() uses user-influenced parser_path which can cause format-string injection.

Changes

  1. backend/secuscan/parser_sandbox.py:ParserSandboxError — Apply redact() to the stderr excerpt and reduce limit from 2000 to 500 chars. This ensures secrets in parser diagnostic output are sanitized before they reach the API layer.
  2. backend/secuscan/parser_sandbox.py:_BOOTSTRAP_TEMPLATE — Replace str.format() with str.replace() using sentinel markers (__MAX_INPUT_BYTES__, __PARSER_PATH_REPR__) to prevent format-string injection via user-influenced parser_path.
  3. backend/secuscan/executor.py:execute_task() — Apply redact() to str(e) before storing as error_message in the general exception handler.
  4. backend/secuscan/executor.py:_parse_results() — Apply redact() to the error message in the generic exception handler.
  5. backend/secuscan/parser_sandbox.py — Updated module docstring with security notes about stderr sensitivity.

Impact

  • Secrets in parser stderr output are redacted before reaching the API response
  • Format-string injection via plugin file paths is eliminated
  • Error messages stored in the database are sanitized
  • Diagnostic stderr is still captured for logging but sanitized before user-facing exposure

Files Changed

  • backend/secuscan/parser_sandbox.py — ParserSandboxError sanitization, template injection fix, docstring update
  • backend/secuscan/executor.py — redact() applied in exception handlers

Closes #1626

@ionfwsrijan

Copy link
Copy Markdown
Contributor Author

@utksh1 Please review this. The failing check is pre-exisiting

@utksh1 utksh1 left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The parser-sandbox error sanitization is good, but backend-unit CI is failing and the branch has merge conflicts. Please rebase on latest main, fix the failing tests, and push again.

@utksh1 utksh1 added level:intermediate 35 pts difficulty label for moderate contributor PRs type:security Security work category bonus label type:bug Bug fix work category bonus label area:backend Backend API, database, or service work area:security Security-sensitive implementation or tests labels Jul 9, 2026
@ionfwsrijan ionfwsrijan force-pushed the fix/1626-parser-sandbox-sensitive-data-leak branch from c782e1c to b828e38 Compare July 10, 2026 01:49
@ionfwsrijan ionfwsrijan reopened this Jul 10, 2026
@ionfwsrijan

Copy link
Copy Markdown
Contributor Author

@utksh1 Please review this now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area:backend Backend API, database, or service work area:security Security-sensitive implementation or tests level:intermediate 35 pts difficulty label for moderate contributor PRs type:bug Bug fix work category bonus label type:security Security work category bonus label

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] Parser Sandbox Captures Stderr with Sensitive Data and Leaks It Via Exception Messages

2 participants