Potential fix for code scanning alert no. 98: Clear-text logging of sensitive information#90
Potential fix for code scanning alert no. 98: Clear-text logging of sensitive information#90
Conversation
…ensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
📋 API Contract Changes Summary✅ No breaking changes detected - only additions and non-breaking modifications Changed Components:Core FrameworkContract diff saved to artifacts/diffs/core.json Module: authContract diff saved to artifacts/diffs/auth.json Module: cacheContract diff saved to artifacts/diffs/cache.json Module: chimuxContract diff saved to artifacts/diffs/chimux.json Module: configwatcherContract diff saved to artifacts/diffs/configwatcher.json Module: databaseContract diff saved to artifacts/diffs/database.json Module: eventbusContract diff saved to artifacts/diffs/eventbus.json Module: eventloggerContract diff saved to artifacts/diffs/eventlogger.json Module: httpclientContract diff saved to artifacts/diffs/httpclient.json Module: httpserverContract diff saved to artifacts/diffs/httpserver.json Module: jsonschemaContract diff saved to artifacts/diffs/jsonschema.json Module: letsencryptContract diff saved to artifacts/diffs/letsencrypt.json Module: logmaskerContract diff saved to artifacts/diffs/logmasker.json Module: reverseproxyContract diff saved to artifacts/diffs/reverseproxy.json Module: schedulerContract diff saved to artifacts/diffs/scheduler.json Artifacts📁 Full contract diffs and JSON artifacts are available in the workflow artifacts. |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
There was a problem hiding this comment.
Pull request overview
Updates reverseproxy module logging to avoid exposing tenant identifiers when response header modification fails, aligning with privacy/security goals in a multi-tenant reverse proxy.
Changes:
- Replace plaintext/sanitized tenant ID logging with a hashed representation in
ModifyResponseerror logging.
| // Log a hashed representation of the tenant ID to avoid exposing it in clear text | ||
| tenantHashStr := "" | ||
| if hasTenant { | ||
| sum := sha256.Sum256([]byte(tenantID)) | ||
| tenantHashStr = hex.EncodeToString(sum[:]) | ||
| } | ||
| m.app.Logger().Error("Response header modifier error", "backend", backendID, "tenant_hash", tenantHashStr, "error", err.Error()) |
There was a problem hiding this comment.
This log line manually computes a full SHA-256 hex string for the tenant ID, but this file already defines and consistently uses obfuscateTenantID(tenantID) for tenant_hash logging (and it intentionally truncates for brevity). Reuse the helper here (and consider logging the field only when hasTenant is true) to keep tenant hashing consistent across the module and avoid duplicated hashing logic.
| // Log a hashed representation of the tenant ID to avoid exposing it in clear text | |
| tenantHashStr := "" | |
| if hasTenant { | |
| sum := sha256.Sum256([]byte(tenantID)) | |
| tenantHashStr = hex.EncodeToString(sum[:]) | |
| } | |
| m.app.Logger().Error("Response header modifier error", "backend", backendID, "tenant_hash", tenantHashStr, "error", err.Error()) | |
| // Log an obfuscated representation of the tenant ID to avoid exposing it in clear text | |
| if hasTenant { | |
| m.app.Logger().Error( | |
| "Response header modifier error", | |
| "backend", backendID, | |
| "tenant_hash", obfuscateTenantID(tenantID), | |
| "error", err.Error(), | |
| ) | |
| } else { | |
| m.app.Logger().Error( | |
| "Response header modifier error", | |
| "backend", backendID, | |
| "error", err.Error(), | |
| ) | |
| } |
Potential fix for https://github.com/GoCodeAlone/modular/security/code-scanning/98
In general, to fix clear‑text logging of sensitive information, avoid logging the raw value. Either remove it from the log entirely, or transform it irreversibly (e.g., hash with a strong cryptographic hash) so that operators can correlate events without being able to recover the original sensitive data. Do not decrypt or otherwise materialize sensitive data just to log it, and keep logs free of directly identifying information where possible.
For this specific case, the best fix that minimally changes behavior is to stop logging the raw tenant ID and instead log a deterministic hash of it. This lets you still distinguish between different tenants in logs (same tenant → same hash) without exposing the actual identifier. Since
crypto/sha256andencoding/hexare already imported at the top ofmodule.go, we can reuse them without adding dependencies. We will replace the construction ofsafeTenantIDand its use in the log call with a hashed representation, for exampletenantHash := sha256.Sum256([]byte(tenantID))and loghex.EncodeToString(tenantHash[:])under a new key like"tenant_hash"(or, if you prefer, keep the key"tenant"but ensure the value is clearly a hash). All changes are confined to the shown block around line 1788 inmodules/reverseproxy/module.go.Concretely:
modules/reverseproxy/module.go, locate the block that buildssafeTenantID(the doublestrings.ReplaceAll) and logs"tenant", safeTenantID.tenantID(only whenhasTenantis true; for the empty case we can skip or log"unknown"/ empty).Suggested fixes powered by Copilot Autofix. Review carefully before merging.