[Security] AST-04: Debug Logging Exposes Full Request URLs with Signatures #22
Description
AST-04: Debug Logging Exposes Full Request URLs with Signatures
Severity: MEDIUM
Affected File(s): aster/api.py:97,107
Description
Two logging.debug() calls log full request URLs (including HMAC signatures) and complete response bodies. For signed requests, the URL contains the signature. The createApiKey endpoint returns apiKey and apiSecret in the response body.
Vulnerable Code
logging.debug("url: " + url)
logging.debug("raw response from server:" + response.text)
Impact
When DEBUG logging is enabled (encouraged in README for troubleshooting), HMAC signatures and API key/secret pairs are written to log files.
Proof of Concept
Enable DEBUG logging, call createApiKey endpoint, observe full credentials in log output.
Recommended Fix
Redact signatures from logged URLs and sensitive fields from response bodies before logging.
Methodology: Triple-verification static analysis -- each finding verified across three independent code review passes.
Researcher: Independent Security Researcher -- Mefai Security Team