Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Python Zen (and security) violation #2

Open
levigross opened this issue May 11, 2015 · 2 comments
Open

Python Zen (and security) violation #2

levigross opened this issue May 11, 2015 · 2 comments

Comments

@levigross
Copy link

The Python Zen states

Errors should never pass silently.
Unless explicitly silenced.

The following code

        if isinstance(value, basestring):
            try:
                value = decrypt_str(value)
            except cryptography.fernet.InvalidToken:
                pass

Is silent if the decryption process fails. It should not be as there is no good reason for the encryption process to fail (and if it does it is important to let the user know).

I would change this code to raise a SuspiciousOperation exception.

https://docs.djangoproject.com/en/1.8/ref/exceptions/#suspiciousoperation

@LucasRoesler
Copy link

The one nice thing of it failing silently, is that it allows you to change the field type to the encrypted field while still reading older unencrypted values. Raising an error might make it a little bit more difficult to migrate old columns.

@levigross
Copy link
Author

But it is the right thing to do. The Pythonic way...

octaflop pushed a commit to octaflop/django-cryptographic-fields that referenced this issue Aug 7, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants