| Repository | django/django · issue #12700 |
| Severity | Security — disclosed publicly after review by Django's security team |
| Kodah runtime | 78.4 seconds |
The bug
When a Django application crashes in debug mode, the framework displays a detailed error page that includes every value in the configuration file: database credentials, API keys, third-party service tokens, anything stored in settings. Django ships with a filter designed to make that page safe: before rendering, it scans every setting and replaces any value whose key matches sensitive patterns with a row of asterisks.
The filter worked correctly for dictionaries, recursing through every level and redacting what it found. What it didn't do was descend into lists, tuples, or sets.
If a sensitive value was stored inside a list, a completely common structure in Django configuration, the filter returned it untouched.
The filter stopped at the container boundary and passed the entire value through as-is. The redaction it was designed to provide simply didn't happen.
What Kodah did
Kodah identified that the filter's recursion logic covered dictionaries but stopped at other iterable types. The fix required extending that same recursion to lists, tuples, and sets, including arbitrarily nested combinations of them. Kodah also handled the edge case where a set contains unhashable items which would cause a silent failure if reconstructed naively after cleansing.
Kodah's patch
The human patch — commit 2c4e0f4
How they compare
Both patches fix the reported case. The human patch covers lists and tuples at a single level of depth, a direct answer to the issue as filed. Kodah, however, went further: beyond the reported cases, it covered sets, handled arbitrarily nested combinations of all three types recursively, and added a fallback for the edge case of unhashable items inside sets; none of which were in the original report, all of them already handled.
| Coverage | Kodah | Human (commit 2c4e0f4) |
|---|---|---|
| Lists | ✓ Covered | ✓ Covered |
| Tuples | ✓ Covered | ✓ Covered |
| Sets | ✓ Covered | ✗ Not covered |
| Nested iterables | ✓ Recursive | ✗ One level only |
| Unhashable item fallback | ✓ Handled | ✗ Silent failure |
A security gap in one of the most widely used frameworks in Python, fixed in 78 seconds. Kodah — $0.50 per fix.
← Back to Blog