Skip to content

Potential fix for code scanning alert no. 3: Clear-text logging of sensitive information#3

Merged
erseco merged 1 commit intomainfrom
alert-autofix-3
Aug 4, 2025
Merged

Potential fix for code scanning alert no. 3: Clear-text logging of sensitive information#3
erseco merged 1 commit intomainfrom
alert-autofix-3

Conversation

@erseco
Copy link
Owner

@erseco erseco commented Aug 4, 2025

Potential fix for https://github.com/erseco/python-moodle/security/code-scanning/3

To fix the problem, we should avoid logging sensitive information such as passwords. The best way to do this is to redact or omit the password field from the payload before logging it. We can create a copy of the payload dictionary with the password replaced by a placeholder (e.g., "***REDACTED***"), and log this redacted version instead. This change should be made only in the debug log statement on line 110, and does not require changing the actual payload sent to the server. No new imports are needed, as dictionary copying and manipulation are built-in Python features.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@erseco @github-advanced-security
Potential fix for code scanning alert no. 3: Clear-text logging of se…
7299d8a 
…nsitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 4, 2025
View reviewed changes
src/py_moodle/auth.py
redacted_payload = payload.copy()
if "password" in redacted_payload:
redacted_payload["password"] = "***REDACTED***"
print(f"[DEBUG] POST {login_url} payload={redacted_payload}")

Check failure

Code scanning / CodeQL

Clear-text logging of sensitive information High

This expression logs
sensitive data (password)
Loading
as clear text.
This expression logs
sensitive data (password)
Loading
as clear text.
This expression logs
sensitive data (password)
Loading
as clear text.
This expression logs
sensitive data (password)
Loading
as clear text.
This expression logs
sensitive data (password)
Loading
as clear text.
This expression logs
sensitive data (password)
Loading
as clear text.
This expression logs
sensitive data (password)
Loading
as clear text.
This expression logs
sensitive data (password)
Loading
as clear text.
This expression logs
sensitive data (password)
Loading
as clear text.
This expression logs
sensitive data (password)
Loading
as clear text.
This expression logs
sensitive data (password)
Loading
as clear text.
This expression logs
sensitive data (password)
Loading
as clear text.
This expression logs
sensitive data (password)
Loading
as clear text.
This expression logs
sensitive data (password)
Loading
as clear text.
This expression logs
sensitive data (password)
Loading
as clear text.
This expression logs
sensitive data (password)
Loading
as clear text.

Copilot Autofix

AI 8 months ago

To fix the problem, we should avoid logging any sensitive information, including usernames and authentication payloads, even in debug mode. Instead, we can log only non-sensitive information, such as the URL being accessed and the fact that a login attempt is being made. Specifically, in the block where the payload is logged, we should remove the payload from the log message or, at most, log only the non-sensitive fields (e.g., the presence of a logintoken, but not its value, and not the username or password). The change should be made in the _standard_login method, around line 113 in src/py_moodle/auth.py. No new imports or methods are required.

Suggested changeset 1
src/py_moodle/auth.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/py_moodle/auth.py b/src/py_moodle/auth.py
--- a/src/py_moodle/auth.py
+++ b/src/py_moodle/auth.py
@@ -109,6 +109,3 @@
         if self.debug:
-            redacted_payload = payload.copy()
-            if "password" in redacted_payload:
-                redacted_payload["password"] = "***REDACTED***"
-            print(f"[DEBUG] POST {login_url} payload={redacted_payload}")
+            print(f"[DEBUG] POST {login_url} (login attempt)")
         resp = self.session.post(login_url, data=payload, allow_redirects=True)
EOF
@@ -109,6 +109,3 @@
if self.debug:
redacted_payload = payload.copy()
if "password" in redacted_payload:
redacted_payload["password"] = "***REDACTED***"
print(f"[DEBUG] POST {login_url} payload={redacted_payload}")
print(f"[DEBUG] POST {login_url} (login attempt)")
resp = self.session.post(login_url, data=payload, allow_redirects=True)
Copilot is powered by AI and may make mistakes. Always verify output.
@erseco erseco marked this pull request as ready for review August 4, 2025 21:27
@erseco erseco merged commit 558196e into main Aug 4, 2025
6 of 8 checks passed
@erseco erseco deleted the alert-autofix-3 branch August 4, 2025 21:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@erseco