Bug 1215722 - VUL-0: python-python-redmine: API key leak
Summary: VUL-0: python-python-redmine: API key leak
Status: NEW
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/379842/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-09-26 12:00 UTC by Alexander Bergmann
Modified: 2024-04-19 10:05 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
abergmann: needinfo? (mardnh)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2023-09-26 12:00:23 UTC 
https://github.com/maxtepkeev/python-redmine/issues/330

The quick way to test it is with no Internet connection:

import os
import logging
from redminelib import Redmine
from redminelib.exceptions import BaseRedmineError
from requests.exceptions import RequestException

URL = os.getenv("URL", "https://progress.opensuse.org")
USER = os.getenv("USER", "test")
API_KEY = "MYAPIKEY"

try:
    client = Redmine(URL, username=USER, key=API_KEY)
    client.issue.get(777)
except (BaseRedmineError, RequestException) as exc:
    logging.error("%s", exc)

ERROR:root:HTTPSConnectionPool(host='progress.opensuse.org', port=443): Max retries exceeded with url: /issues/777.json?key=MYAPIKEY (Caused by NameResolutionError("<urllib3.connection.HTTPSConnection object at 0x7fa218b31450>: Failed to resolve 'progress.opensuse.org' ([Errno -3] Temporary failure in name resolution)")) 

The only workaround is to catch requests.exceptions.ConnectionError.
Comment 1 Ricardo Branco 2023-09-26 12:38:41 UTC 
Another workaround:

https://github.com/maxtepkeev/python-redmine/pull/328#issuecomment-1728431742
Comment 2 Martin Hauke 2023-09-26 19:11:19 UTC 
See https://build.opensuse.org/request/show/1113727
Comment 3 Alexander Bergmann 2023-09-27 06:13:25 UTC 
@Martin, could you please prepare submissions for the following backports:

openSUSE:Backports:SLE-15-SP4
openSUSE:Backports:SLE-15-SP5
openSUSE:Backports:SLE-15-SP6

You can still submit to the SLE-15-SP6 GA project.
Comment 4 OBSbugzilla Bot 2023-09-29 08:35:08 UTC 
This is an autogenerated message for OBS integration:
This bug (1215722) was mentioned in
https://build.opensuse.org/request/show/1114261 Factory / python-python-redmine