Potential fix for code scanning alert no. 3: Clear-text logging of sensitive information #77
Conversation
…nsitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @@ -146,8 +146,7 @@ | |||
| if client_id == "new": | |||
| service_token_name = input('Please input name for service token > ') | |||
| client_id, client_secret = request_create_service_token(service_token_name) | |||
| print( | |||
| f"Created service token with client_id {client_id} and client_secret {client_secret}. You may want to save these secrets.") | |||
| print(f"Created service token with client_id {client_id}. Please save the client_id and client_secret securely.") | |||
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 18 days ago
To fix the problem, we need to ensure that sensitive information such as client_id and client_secret is not logged in clear text. Instead, we can log a generic message indicating that a service token was created without including the sensitive details. This way, we maintain the functionality of informing the user about the creation of the service token without exposing sensitive information.
We will modify the code in public/cloudflare-one/static/authenticated-doh.py to remove the sensitive information from the log message on line 149.
| @@ -148,3 +148,3 @@ | ||
| client_id, client_secret = request_create_service_token(service_token_name) | ||
| print(f"Created service token with client_id {client_id}. Please save the client_id and client_secret securely.") | ||
| print("Created service token. Please save the client_id and client_secret securely.") | ||
|
|
|
CI run failed: build logs |
Potential fix for https://github.com/krishnprakash/cloudflare-docs/security/code-scanning/3
To fix the problem, we need to avoid logging the
client_secretin clear text. Instead, we can log a message indicating that the service token was created without including the sensitive information. This way, we maintain the functionality of informing the user that the token was created while ensuring that sensitive data is not exposed.We will modify the print statement on line 150 to exclude the
client_secret. We will also add a note to the user to save the secrets without logging them.Suggested fixes powered by Copilot Autofix. Review carefully before merging.