-
-
Save leenr/d23e8043d54545d1d16d2d7f54204475 to your computer and use it in GitHub Desktop.
Reproducer for `aiochclient` password leak
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import asyncio | |
import logging | |
import socketserver | |
import time | |
import threading | |
import aiochclient | |
import aiohttp.web | |
PORT = 1234 | |
def server_thread_target() -> None: | |
# start simple server that will drop the connection as soon as possible | |
class MyTCPHandler(socketserver.BaseRequestHandler): | |
def handle(self): | |
pass | |
class MyTCPServer(socketserver.TCPServer): | |
allow_reuse_address = True | |
with MyTCPServer(('localhost', PORT), MyTCPHandler) as server: | |
server.serve_forever() | |
def client_thread_target() -> None: | |
async def amain() -> None: | |
ch_client = aiochclient.ChClient( | |
url=f'http://localhost:{PORT}/', | |
database='database', | |
user='admin', | |
password='secret-password' | |
) | |
while True: | |
try: | |
await ch_client.fetchval('SELECT 1') | |
except ConnectionResetError: | |
continue # not interesting | |
except aiohttp.ServerDisconnectedError: | |
continue # not interesting | |
except Exception: | |
logging.exception('Leak!') | |
exit() | |
time.sleep(0.5) # wait for server to start listen | |
asyncio.run(amain()) | |
if __name__ == '__main__': | |
threading.Thread(target=server_thread_target, name='Server', daemon=True).start() | |
client_thread_target() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment