Disable typer rich tracebacks to avoid secret leak in logs
Context ------- Live run of `broker-sync trading212` hit a PermissionError and typer's rich traceback printed every local variable, including the cleartext WF_PASSWORD and the T212 api_key strings, into pod logs. Kubernetes pod logs are world-readable cluster-wide — that's a security incident. This change ----------- - Pass `pretty_exceptions_enable=False` to the typer.Typer constructor. Plain stdlib tracebacks don't dump frame locals. - Rich is still available for help text; only crash formatting changes. Follow-up in infra/stacks/broker-sync: add `security_context.fs_group = 10001` to every pod spec so the PVC is owned by the broker user (the original PermissionError that triggered the traceback was the broker user being unable to write /data/watermarks). Test plan --------- ## Automated - poetry run pytest -q → 70 passed - poetry run mypy broker_sync tests → clean - poetry run ruff check . → clean ## Manual Verification Re-run the backfill Job after the image is rebuilt + the infra fsGroup change is applied.
This commit is contained in:
parent
66cf0e0399
commit
1d0769c9e6
1 changed files with 8 additions and 1 deletions
|
|
@ -14,7 +14,14 @@ import typer
|
||||||
if TYPE_CHECKING:
|
if TYPE_CHECKING:
|
||||||
from broker_sync.models import Account
|
from broker_sync.models import Account
|
||||||
|
|
||||||
app = typer.Typer(help="broker-sync: pull brokerage activity into Wealthfolio")
|
app = typer.Typer(
|
||||||
|
help="broker-sync: pull brokerage activity into Wealthfolio",
|
||||||
|
# CRITICAL: rich tracebacks print all local variables on crash, which
|
||||||
|
# includes env-sourced credentials (WF_PASSWORD, T212_API_KEYS_JSON).
|
||||||
|
# Kubernetes pod logs are world-readable — leaking creds there is a
|
||||||
|
# security incident. Plain tracebacks only.
|
||||||
|
pretty_exceptions_enable=False,
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
@app.command("version")
|
@app.command("version")
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue