🛡️ Sentinel: [MEDIUM] Sanitize exceptions in logs#180
Conversation
- Wrapped exception objects in `sanitize_for_log()` before logging. - Prevents potential leakage of sensitive data (e.g., tokens in URLs) from exception messages. - Added regression test `tests/test_exception_logging.py`. Co-authored-by: abhimehro <84992105+abhimehro@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
|
Merging to
|
|
👋 Development Partner is reviewing this PR. Will provide feedback shortly. |
Summary of ChangesHello @abhimehro, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the application's security by implementing robust sanitization for exception messages before they are written to logs. By consistently redacting potentially sensitive information, such as API tokens or private URLs, from error and warning logs, it mitigates the risk of data leakage. The changes are validated by a new, dedicated test case that confirms the effectiveness of the sanitization process. Highlights
Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| all_rules.update(result) | ||
| except Exception as e: | ||
| folder_id = future_to_folder[future] | ||
| log.warning(f"Failed to fetch rules for folder ID {folder_id}: {e}") |
Check warning
Code scanning / Prospector (reported by Codacy)
Use lazy % formatting in logging functions (logging-fstring-interpolation) Warning
| @@ -852,7 +856,7 @@ | |||
Check notice
Code scanning / Pylintpython3 (reported by Codacy)
Use lazy % formatting in logging functions Note
| except Exception as e: | ||
| # We log error but don't stop the whole process; | ||
| # individual folder failure shouldn't crash the sync | ||
| log.warning(f"Error fetching rules for folder {folder_id}: {e}") |
Check notice
Code scanning / Pylintpython3 (reported by Codacy)
Use lazy % formatting in logging functions Note
| all_rules.update(result) | ||
| except Exception as e: | ||
| folder_id = future_to_folder[future] | ||
| log.warning(f"Failed to fetch rules for folder ID {folder_id}: {e}") |
Check notice
Code scanning / Pylintpython3 (reported by Codacy)
Use lazy % formatting in logging functions Note
| @@ -1024,7 +1030,9 @@ | |||
| ) | |||
| return str(grp["PK"]) | |||
Check notice
Code scanning / Pylintpython3 (reported by Codacy)
Use lazy % formatting in logging functions Note
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request effectively addresses a security vulnerability by sanitizing exceptions before they are logged, preventing potential leakage of sensitive data. The changes are applied consistently across all relevant logging statements. The addition of a new test file, tests/test_exception_logging.py, is a great step to verify the fix and prevent future regressions. I have one suggestion to refactor the new test to use @patch decorators, which improves the test's structure and robustness. Overall, this is a valuable security improvement.
There was a problem hiding this comment.
Pull request overview
This PR aims to prevent sensitive data leakage by ensuring exception messages are sanitized (via sanitize_for_log()) before being written to logs, and adds a regression test to confirm redaction behavior.
Changes:
- Apply
sanitize_for_log()to exceptions logged in severallog.warning/log.errorpaths. - Add a new test (
tests/test_exception_logging.py) to verify an exception containing a token is redacted when logged fromcheck_api_access().
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| main.py | Sanitizes exception values in multiple log statements to reduce the risk of leaking secrets via exception messages. |
| tests/test_exception_logging.py | Adds a regression test asserting tokens inside an exception message are redacted in logs. |
| log.error(f"API Access Check Failed ({code}): {sanitize_for_log(e)}") | ||
| return False | ||
| except httpx.RequestError as e: | ||
| log.error(f"Network Error during access check: {e}") | ||
| log.error(f"Network Error during access check: {sanitize_for_log(e)}") | ||
| return False |
There was a problem hiding this comment.
This change sanitizes exceptions in a few places, but main.py still has log statements that interpolate the raw exception ({e}) without sanitize_for_log, so sensitive URLs/tokens can still leak (e.g., the retry warning in _retry_request, the cache warmup Failed to pre-fetch ...: {e} warning, and the Could not extract ID ...: {e} debug log). To fully address the vulnerability described in the PR, sanitize those remaining exception logs as well (either by wrapping the exception with sanitize_for_log(...) or logging a sanitized str(e) via logger args).
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
|
👋 Development Partner is reviewing this PR. Will provide feedback shortly. |
| log.error(f"API Access Check Failed ({code}): {sanitize_for_log(e)}") | ||
| return False | ||
| except httpx.RequestError as e: | ||
| log.error(f"Network Error during access check: {e}") | ||
| log.error(f"Network Error during access check: {sanitize_for_log(e)}") | ||
| return False |
There was a problem hiding this comment.
PR description says all exceptions logged via log.error/log.warning are now sanitized, but main.py still logs raw exceptions in a few places (e.g., _retry_request() warning and warm_up_cache() warning, plus a create_folder() debug). That means sensitive URLs/tokens can still leak in logs; either extend the fix to those remaining log lines or narrow the PR description to match what’s actually covered.
| log.warning( | ||
| f"Failed to resolve/validate domain {hostname}: {sanitize_for_log(e)}" | ||
| ) | ||
| return False | ||
|
|
||
| except Exception as e: | ||
| log.warning(f"Failed to validate URL {sanitize_for_log(url)}: {e}") | ||
| log.warning( | ||
| f"Failed to validate URL {sanitize_for_log(url)}: {sanitize_for_log(e)}" | ||
| ) |
There was a problem hiding this comment.
Only check_api_access() has a regression test for exception-message redaction. The new/updated exception sanitization in validate_folder_url(), _fetch_folder_rules(), and create_folder() isn’t covered by tests (no tests assert these log messages are redacted), so it’s easy for future changes to reintroduce secret leakage in those paths. Add targeted tests that raise exceptions containing a secret/token and assert the logged message contains "[REDACTED]" and not the secret.
…ve tests Co-authored-by: abhimehro <84992105+abhimehro@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: abhimehro <84992105+abhimehro@users.noreply.github.com>
|
👋 Development Partner is reviewing this PR. Will provide feedback shortly. |
| @patch('main.log') | ||
| @patch('main.socket.getaddrinfo') | ||
| def test_validate_folder_url_redacts_exception( | ||
| self, mock_getaddrinfo, mock_log |
Check warning
Code scanning / Pylint (reported by Codacy)
Wrong hanging indentation before block (add 4 spaces). Warning test
|
|
||
| # Mock _api_get to succeed for root but fail for folder rules | ||
| with patch('main._api_get') as mock_api_get: | ||
| def api_get_side_effect(client_arg, url): |
Check warning
Code scanning / Pylint (reported by Codacy)
Missing function docstring Warning test
| @patch('main.log') | ||
| @patch('main._api_post') | ||
| @patch('main._api_get') | ||
| def test_create_folder_redacts_exception( |
Check warning
Code scanning / Pylint (reported by Codacy)
Too many local variables (19/15) Warning test
| @patch('main._api_post') | ||
| @patch('main._api_get') | ||
| def test_create_folder_redacts_exception( | ||
| self, mock_api_get, mock_api_post, mock_log |
Check warning
Code scanning / Pylint (reported by Codacy)
Wrong hanging indentation before block (add 4 spaces). Warning test
| ) | ||
|
|
||
| # Create a failing request function | ||
| def failing_request(): |
Check warning
Code scanning / Pylint (reported by Codacy)
Missing function docstring Warning test
|
|
||
| # Mock _api_get to succeed for root but fail for folder rules | ||
| with patch('main._api_get') as mock_api_get: | ||
| def api_get_side_effect(client_arg, url): |
Check notice
Code scanning / Pylint (reported by Codacy)
Unused argument 'client_arg' Note test
|
|
||
| # Action | ||
| try: | ||
| main._retry_request(failing_request, max_retries=2, delay=0.01) |
Check notice
Code scanning / Pylint (reported by Codacy)
Access to a protected member _retry_request of a client class Note test
| # Mock _api_get to succeed for root but fail for folder rules | ||
| with patch('main._api_get') as mock_api_get: | ||
| def api_get_side_effect(client_arg, url): | ||
| if url.endswith("/rules"): |
Check warning
Code scanning / Pylintpython3 (reported by Codacy)
Unnecessary "else" after "return" Warning test
| @patch('main.log') | ||
| @patch('main._api_post') | ||
| @patch('main._api_get') | ||
| def test_create_folder_redacts_exception( |
Check warning
Code scanning / Pylintpython3 (reported by Codacy)
Too many local variables (18/15) Warning test
| log.error(f"API Access Check Failed ({code}): {sanitize_for_log(e)}") | ||
| return False | ||
| except httpx.RequestError as e: | ||
| log.error(f"Network Error during access check: {e}") |
Check notice
Code scanning / Pylintpython3 (reported by Codacy)
Use lazy % formatting in logging functions Note
| log.debug( | ||
| f"Could not extract ID from POST response: " | ||
| f"{sanitize_for_log(e)}" | ||
| ) |
Check notice
Code scanning / Pylintpython3 (reported by Codacy)
Use lazy % formatting in logging functions Note
main.py
Outdated
Check notice
Code scanning / Pylintpython3 (reported by Codacy)
Use lazy % formatting in logging functions Note
|
|
||
| # Mock _api_get to succeed for root but fail for folder rules | ||
| with patch('main._api_get') as mock_api_get: | ||
| def api_get_side_effect(client_arg, url): |
Check notice
Code scanning / Pylintpython3 (reported by Codacy)
Unused argument 'client_arg' Note test
|
|
||
| # Action | ||
| try: | ||
| main._retry_request(failing_request, max_retries=2, delay=0.01) |
Check notice
Code scanning / Pylintpython3 (reported by Codacy)
Access to a protected member _retry_request of a client class Note test
Vulnerability:
Exception messages were sometimes logged directly without sanitization. If an exception (e.g.,
httpx.RequestError) contained a sensitive URL with a token in the query string or error details, it could be leaked into logs.Fix:
Applied
sanitize_for_log()to all exception variables logged vialog.errorandlog.warning. This ensures any sensitive data within the exception message is redacted before output.Verification:
Added
tests/test_exception_logging.pywhich reproduces the issue by simulating an exception containing a secret token and verifying that the logged message is redacted.Ran existing tests to ensure no regressions.
PR created automatically by Jules for task 231878360127877934 started by @abhimehro