From 4bee8eae2f860d66ddf9047e015132d5bb29a91d Mon Sep 17 00:00:00 2001
From: Phileco <132178579+krishnprakash@users.noreply.github.com>
Date: Wed, 12 Mar 2025 20:48:01 +0530
Subject: [PATCH] Potential fix for code scanning alert no. 1: Clear-text
 logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 public/cloudflare-one/static/authenticated-doh.py | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/public/cloudflare-one/static/authenticated-doh.py b/public/cloudflare-one/static/authenticated-doh.py
index 746e4c70016f8bc..0f7bca8183e4592 100644
--- a/public/cloudflare-one/static/authenticated-doh.py
+++ b/public/cloudflare-one/static/authenticated-doh.py
@@ -8,6 +8,15 @@
 
 verbose = os.environ.get('VERBOSE', False)
 
+def sanitize_command(command):
+    sanitized_command = []
+    for part in command:
+        if part.startswith('Cf-Access-Client-Secret:'):
+            sanitized_command.append('Cf-Access-Client-Secret: [REDACTED]')
+        else:
+            sanitized_command.append(part)
+    return sanitized_command
+
 
 def check_for_command(command):
     try:
@@ -69,7 +78,8 @@ def request_doh_token(account_tag, user_id, client_id, client_secret):
                '-H', f"Cf-Access-Client-Id: {client_id}",
                '-H', f"Cf-Access-Client-Secret: {client_secret}"]
     if verbose:
-        print(f"Issuing request {' '.join(command)}")
+        sanitized_command = sanitize_command(command)
+        print(f"Issuing request {' '.join(sanitized_command)}")
     response = json.loads(subprocess.check_output(command))
     if verbose:
         print("Got response:")