Skip to content

Prevent client secrets and proxy credentials from being logged in Microsoft Graph hook logs#59688

Merged
vatsrahul1001 merged 9 commits intoapache:mainfrom
astronomer:fix-msgraph-secret-logging
Dec 24, 2025
Merged

Prevent client secrets and proxy credentials from being logged in Microsoft Graph hook logs#59688
vatsrahul1001 merged 9 commits intoapache:mainfrom
astronomer:fix-msgraph-secret-logging

Conversation

@sunank200
Copy link
Collaborator

@sunank200 sunank200 commented Dec 21, 2025
edited
Loading

Problem

The KiotaRequestAdapterHook was logging sensitive information at INFO level:

  • Client secrets
  • Proxy URLs with embedded credentials (e.g., http://user:pass@proxy.example.com:3128) were logged in plain text

Fix

  • Add "proxies" to DEFAULT_SENSITIVE_FIELDS in the shared secrets_masker
  • Use redact(proxies, name="proxies") to automatically mask proxy configurations containing credentials
  • Use redact(client_secret, name="client_secret") to mask client secrets

Testing

  • Added unit tests to verify
  • Manually tested with a custom DAG using KiotaRequestAdapterHook and following is the screenshot of the task logs:
Screenshot 2025-12-22 at 2 49 25 AM

^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named {pr_number}.significant.rst or {issue_number}.significant.rst, in airflow-core/newsfragments.

@sunank200 sunank200 force-pushed the fix-msgraph-secret-logging branch from a8fafc1 to 8e45f9d Compare December 21, 2025 20:39
@sunank200 sunank200 marked this pull request as ready for review December 21, 2025 21:06
@sunank200 sunank200 force-pushed the fix-msgraph-secret-logging branch from 4c4d6a6 to e6276ea Compare December 21, 2025 23:15
@sunank200 sunank200 force-pushed the fix-msgraph-secret-logging branch from e6276ea to 7755235 Compare December 22, 2025 06:22
amoghrajesh
amoghrajesh reviewed Dec 22, 2025
View reviewed changes
@sunank200 sunank200 requested a review from kaxil as a code owner December 22, 2025 06:59
@sunank200 sunank200 removed the request for review from kaxil December 22, 2025 06:59
@sunank200 sunank200 force-pushed the fix-msgraph-secret-logging branch from 23d0833 to 6f78a11 Compare December 22, 2025 07:13
amoghrajesh
amoghrajesh reviewed Dec 23, 2025
View reviewed changes
Copy link
Contributor

@amoghrajesh amoghrajesh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are almost there, one comment

@sunank200 sunank200 force-pushed the fix-msgraph-secret-logging branch from 9f3db7c to c33e3e4 Compare December 23, 2025 07:55
amoghrajesh
amoghrajesh reviewed Dec 23, 2025
View reviewed changes
@sunank200 sunank200 force-pushed the fix-msgraph-secret-logging branch from 3b307d7 to 05525d1 Compare December 23, 2025 09:21
amoghrajesh
amoghrajesh approved these changes Dec 23, 2025
View reviewed changes
Copy link
Contributor

@amoghrajesh amoghrajesh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One comment, otherwise LGTM

potiuk
potiuk reviewed Dec 23, 2025
View reviewed changes
@potiuk potiuk added the backport-to-v3-1-test Mark PR with this label to backport to v3-1-test branch label Dec 23, 2025
@potiuk potiuk added this to the Airflow 3.1.6 milestone Dec 23, 2025
@sunank200 sunank200 force-pushed the fix-msgraph-secret-logging branch from b3cb3da to 39479cd Compare December 23, 2025 14:32
@sunank200 sunank200 requested a review from potiuk December 23, 2025 14:32
@sunank200
Use compat module for redact import in Microsoft Graph hook
edcd513 
Re-export redact from airflow.sdk.log and add to compat module import map
to enable unconditional import via airflow.providers.common.compat.sdk
@sunank200
Add airflow.sdk._shared.secrets_masker and airflow.sdk.execution_time…
f24cc38 
….secrets_masker

to the import fallback chain for redact to support compact 3.0.6 and 3.1.5 environments
@sunank200
Simplify redact re-export in log.py
227cfc4
@sunank200
Remove explicit __all__ declaration as it's not needed for the re-export
665e22d
@sunank200
Fix PR comments: import paths changes
4f3e1bd
@sunank200
Add both singular and plural forms of proxy field names to
2c6b2c1 
DEFAULT_SENSITIVE_FIELDS in secrets_masker to ensure proxy
configurations are treated as sensitive by default regardless
of field naming convention.
@sunank200 sunank200 force-pushed the fix-msgraph-secret-logging branch from 39479cd to 2c6b2c1 Compare December 23, 2025 15:09
amoghrajesh
amoghrajesh approved these changes Dec 24, 2025
View reviewed changes
Copy link
Contributor

@amoghrajesh amoghrajesh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks

@vatsrahul1001 vatsrahul1001 merged commit a9dea6d into apache:main Dec 24, 2025
97 checks passed
@vatsrahul1001 vatsrahul1001 deleted the fix-msgraph-secret-logging branch December 24, 2025 10:11
@github-actions
Copy link

github-actions bot commented Dec 24, 2025

Backport failed to create: v3-1-test. View the failure log Run details

Status Branch Result
v3-1-test Commit Link

You can attempt to backport this manually by running:

cherry_picker a9dea6d v3-1-test

This should apply the commit to the v3-1-test branch and leave the commit in conflict state marking
the files that need manual conflict resolution.

After you have resolved the conflicts, you can continue the backport process by running:

cherry_picker --continue

sunank200 added a commit to astronomer/airflow that referenced this pull request Dec 24, 2025
@sunank200
[v3-1-test] Prevent client secrets and proxy credentials from being l…
09a572c 
…ogged in Microsoft Graph hook logs (apache#59688)

Prevent client secrets and proxy credentials from being logged in Microsoft Graph hook logs (apache#59688)
(cherry picked from commit a9dea6d)
@sunank200 sunank200 mentioned this pull request Dec 24, 2025
Merged
Ankurdeewan pushed a commit to Ankurdeewan/airflow that referenced this pull request Dec 25, 2025
@sunank200 @Ankurdeewan
Prevent client secrets and proxy credentials from being logged in Mic…
865d6e5 
…rosoft Graph hook logs (apache#59688)

Prevent client secrets and proxy credentials from being logged in Microsoft Graph hook logs (apache#59688)
potiuk pushed a commit that referenced this pull request Dec 25, 2025
@sunank200
[v3-1-test] Prevent client secrets and proxy credentials from being l…
2504bd6 
…ogged in Microsoft Graph hook logs (#59688) (#59792)

Prevent client secrets and proxy credentials from being logged in Microsoft Graph hook logs (#59688)
(cherry picked from commit a9dea6d)
@shahar1 shahar1 mentioned this pull request Dec 30, 2025
Closed
54 tasks
Subham-KRLX pushed a commit to Subham-KRLX/airflow that referenced this pull request Jan 2, 2026
@sunank200 @Subham-KRLX
Prevent client secrets and proxy credentials from being logged in Mic…
9b50101 
…rosoft Graph hook logs (apache#59688)

Prevent client secrets and proxy credentials from being logged in Microsoft Graph hook logs (apache#59688)
ephraimbuddy pushed a commit that referenced this pull request Jan 6, 2026
@sunank200 @ephraimbuddy
[v3-1-test] Prevent client secrets and proxy credentials from being l…
08a6cea 
…ogged in Microsoft Graph hook logs (#59688) (#59792)

Prevent client secrets and proxy credentials from being logged in Microsoft Graph hook logs (#59688)
(cherry picked from commit a9dea6d)
stegololz pushed a commit to stegololz/airflow that referenced this pull request Jan 9, 2026
@sunank200 @stegololz
Prevent client secrets and proxy credentials from being logged in Mic…
177de22 
…rosoft Graph hook logs (apache#59688)

Prevent client secrets and proxy credentials from being logged in Microsoft Graph hook logs (apache#59688)
@heepengpeng
Copy link

heepengpeng commented Jan 27, 2026

Is this related to https://nvd.nist.gov/vuln/detail/CVE-2025-68675

@kravii
Copy link

kravii commented Feb 2, 2026

Can we please get a confirmation on above if it is a targeted fix for - CVE-2025-68675 ?

@potiuk
Copy link
Member

potiuk commented Feb 3, 2026

Yeah. It is. We have not linked the PR to the CVE (we usually do) - we will also fix it in the CVE announcement itself. Thanks for asking @heepengpeng @kravii

@potiuk
Copy link
Member

potiuk commented Feb 3, 2026

Yeah. It is. We have not linked the PR to the CVE (we usually do) - we will also fix it in the CVE announcement itself. Thanks for asking @heepengpeng @kravii

The CVE should be updated shortly to contain link to that PR

@kravii
Copy link

kravii commented Feb 3, 2026

thanks a lot for the confirmation @potiuk.

jhgoebbert pushed a commit to jhgoebbert/airflow_Owen-CH-Leung that referenced this pull request Feb 8, 2026
@sunank200 @jhgoebbert
Prevent client secrets and proxy credentials from being logged in Mic…
4b27999 
…rosoft Graph hook logs (apache#59688)

Prevent client secrets and proxy credentials from being logged in Microsoft Graph hook logs (apache#59688)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@uranusjr uranusjr uranusjr left review comments

@amoghrajesh amoghrajesh amoghrajesh approved these changes

@vatsrahul1001 vatsrahul1001 vatsrahul1001 approved these changes

@ashb ashb Awaiting requested review from ashb ashb is a code owner

@potiuk potiuk Awaiting requested review from potiuk potiuk is a code owner

Assignees

No one assigned

Labels

area:providers backport-to-v3-1-test Mark PR with this label to backport to v3-1-test branch provider:microsoft-azure Azure-related issues

Projects

None yet

Milestone

Airflow 3.1.6

Development

Successfully merging this pull request may close these issues.

7 participants

@sunank200 @heepengpeng @kravii @potiuk @uranusjr @amoghrajesh @vatsrahul1001