Skip to content

Potential fix for code scanning alert no. 519: Clear-text logging of sensitive information #54742

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
potiuk merged 1 commit into from
Aug 20, 2025
Merged

Potential fix for code scanning alert no. 519: Clear-text logging of sensitive information #54742

potiuk merged 1 commit into from
Aug 20, 2025

Conversation

@potiuk
Copy link
Member

@potiuk potiuk commented Aug 20, 2025

Potential fix for https://github.com/apache/airflow/security/code-scanning/519

To fix the problem, we should avoid logging the OAuth token in clear text. Instead, we can log that a token was retrieved, without including its value. If necessary for debugging, we could log only non-sensitive metadata (such as the type or length of the token), or redact the token value (e.g., log only the first few characters, or a hash). The best fix is to remove the token value from the log message entirely, replacing it with a generic message indicating that the token was accessed. This change should be made in the oauth_token_getter static method, specifically on line 2196. No new imports or definitions are required.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@potiuk @github-advanced-security
Potential fix for code scanning alert no. 519: Clear-text logging of …
02223df 
…sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@potiuk potiuk marked this pull request as ready for review August 20, 2025 15:21
@potiuk potiuk requested a review from vincbeck as a code owner August 20, 2025 15:21
@potiuk potiuk added the backport-to-v3-1-test Mark PR with this label to backport to v3-1-test branch label Aug 20, 2025
@potiuk potiuk merged commit a51a604 into main Aug 20, 2025
100 of 104 checks passed
@potiuk potiuk deleted the Remove-debugging-for-potentially-sensitive-token branch August 20, 2025 19:20
@potiuk potiuk removed the backport-to-v3-1-test Mark PR with this label to backport to v3-1-test branch label Aug 20, 2025
github-actions bot pushed a commit that referenced this pull request Aug 20, 2025
@potiuk @github-advanced-security
[v3-0-test] Potential fix for code scanning alert no. 519: Clear-text…
79d8a32 
… logging of sensitive information (#54742)

(cherry picked from commit a51a604)

Co-authored-by: Jarek Potiuk <jarek@potiuk.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@github-actions
Copy link

github-actions bot commented Aug 20, 2025

Backport successfully created: v3-0-test

Status Branch Result
v3-0-test PR Link

@potiuk
Copy link
Member Author

potiuk commented Aug 20, 2025

no need to backport

mangal-vairalkar pushed a commit to mangal-vairalkar/airflow that referenced this pull request Aug 30, 2025
@potiuk @github-advanced-security @mangal-vairalkar
Potential fix for code scanning alert no. 519: Clear-text logging of …
fff0e05 
…sensitive information (apache#54742)

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@eladkal eladkal mentioned this pull request Sep 5, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eladkal eladkal eladkal approved these changes

@vincbeck vincbeck Awaiting requested review from vincbeck vincbeck is a code owner

Assignees

No one assigned

Labels

area:providers provider:fab

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@potiuk @eladkal