From e90c0aedf8d64a5737c901d77a52db24681a8546 Mon Sep 17 00:00:00 2001 From: Felipe Monteiro Date: Mon, 12 Mar 2018 20:42:31 +0000 Subject: [PATCH] Security fix: Remove document data printout from exception message This is to remove document data printout from the MissingDocumentKey exception message which could expose sensitive data if it is caught and logged by other services, for example. Instead, the child and parent documents' schema and name are printed, in addition to the action object in which the path that could not be resolved in either parent or document is contained. Change-Id: I07f43e57527d05e98e98e5f80567b97dd2a762f9 --- deckhand/engine/layering.py | 24 +++++++++++++++--------- deckhand/errors.py | 16 +++++++++++++--- 2 files changed, 28 insertions(+), 12 deletions(-) diff --git a/deckhand/engine/layering.py b/deckhand/engine/layering.py index fed632fb..ed3c521c 100644 --- a/deckhand/engine/layering.py +++ b/deckhand/engine/layering.py @@ -405,9 +405,11 @@ class DocumentLayering(object): action_path) if from_child is None: raise errors.MissingDocumentKey( - child=child_data.data, - parent=overall_data.data, - key=action_path) + child_schema=child_data.schema, + child_name=child_data.name, + parent_schema=overall_data.schema, + parent_name=overall_data.name, + action=action) engine_utils.deep_delete(from_child, overall_data.data, None) @@ -417,9 +419,11 @@ class DocumentLayering(object): if from_child is None: raise errors.MissingDocumentKey( - child=child_data.data, - parent=overall_data.data, - key=action_path) + child_schema=child_data.schema, + child_name=child_data.name, + parent_schema=overall_data.schema, + parent_name=overall_data.name, + action=action) if (isinstance(from_parent, dict) and isinstance(from_child, dict)): @@ -436,9 +440,11 @@ class DocumentLayering(object): if from_child is None: raise errors.MissingDocumentKey( - child=child_data.data, - parent=overall_data.data, - key=action_path) + child_schema=child_data.schema, + child_name=child_data.name, + parent_schema=overall_data.schema, + parent_name=overall_data.name, + action=action) overall_data.data = utils.jsonpath_replace( overall_data.data, from_child, action_path) diff --git a/deckhand/errors.py b/deckhand/errors.py index 80631bd9..6c820fc4 100644 --- a/deckhand/errors.py +++ b/deckhand/errors.py @@ -230,12 +230,22 @@ class SubstitutionDependencyCycle(DeckhandException): class MissingDocumentKey(DeckhandException): - """The key does not exist in the "rendered_data". + """Either the parent or child document data is missing the action path + used for layering. **Troubleshoot:** + + * Check that the action path exists in the data section for both child + and parent documents being layered together. + * Note that previous delete layering actions can affect future layering + actions by removing a path needed by a future layering action. + * Note that substitutions that substitute in lists or objects into the + rendered data for a document can also complicate debugging this issue. """ - msg_fmt = ("Missing document key %(key)s from either parent or child. " - "Parent: %(parent)s. Child: %(child)s.") + msg_fmt = ("Missing action path in %(action)s needed for layering from " + "either the data section of the parent [%(parent_schema)s] " + "%(parent_name)s or child [%(child_schema)s] %(child_name)s " + "document.") code = 400