Skip to content

Potential fix for code scanning alert no. 44: Clear-text logging of sensitive information#3

Merged
eman merged 1 commit intomainfrom
alert-autofix-44
Oct 10, 2025
Merged

Potential fix for code scanning alert no. 44: Clear-text logging of sensitive information#3
eman merged 1 commit intomainfrom
alert-autofix-44

Conversation

@eman
Copy link
Copy Markdown
Owner

@eman eman commented Oct 10, 2025

Potential fix for https://github.com/eman/nwp500-python/security/code-scanning/44

To address the problem, we should avoid logging sensitive device identifiers (such as MAC addresses and any other sensitive information) in cleartext. Specifically, while it can be useful to log which topics we are subscribing to, any topic string that includes the MAC address should be sanitized before printing. The best approach is to redact, mask, or remove the MAC address from the topic string when logging. We can replace the MAC address with a placeholder like [REDACTED] or [MAC] in log output, while continuing to use the full string for subscription (which the code needs).

The fix is:

  1. Before printing the subscription topic in the log statement at line 123, apply a masking function that replaces any MAC address (in the topic) with a redacted form (e.g., replace the device_id in the topic with [REDACTED_MAC] or similar).
  2. Only apply this masking to the print/log statements, not to the value used in the actual subscription call.
  3. If there are multiple places where MAC address appears in the print statements, sanitize all those locations.

We'll define a small utility function (inside the shown code, since we cannot touch code elsewhere) to help mask the MAC address string in the topic for logging.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@eman @github-advanced-security
Potential fix for code scanning alert no. 44: Clear-text logging of s…
f4761cf 
…ensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 10, 2025
View reviewed changes
examples/test_mqtt_messaging.py
try:
await mqtt_client.subscribe(topic, message_handler)
print(f" ✅ Subscribed to: {topic}")
print(f" ✅ Subscribed to: {mask_mac_in_topic(topic, device_id)}")

Check failure

Code scanning / CodeQL

Clear-text logging of sensitive information High test

This expression logs
sensitive data (private)
Loading
as clear text.

Copilot Autofix

AI 6 months ago

To fix the problem, all print or log statements that display the sensitive device MAC address (device_id, from device.device_info.mac_address) should redact it before outputting. The best method is to replace every instance where the MAC address would be printed with a redacted string such as "[REDACTED_MAC]", ensuring that no clear-text MAC addresses are shown as output. Specifically:

  • On line 92, replace the output of the MAC address.
  • In mask_mac_in_topic, ensure its masking is robust, and review all places where device identifiers are printed.
  • Ensure that, wherever device identifiers (especially device_id/MAC addresses) are included in debug, print, or log statements, they are masked.
  • Changes are limited to only the edit regions shown in the provided code, so only change print statements in the provided snippet.

No additional imports are needed, as masking is handled via string replacement.

Suggested changeset 1
examples/test_mqtt_messaging.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/examples/test_mqtt_messaging.py b/examples/test_mqtt_messaging.py
--- a/examples/test_mqtt_messaging.py
+++ b/examples/test_mqtt_messaging.py
@@ -89,7 +89,7 @@
             additional_value = device.device_info.additional_value
 
             print(f"✅ Found device: {device.device_info.device_name}")
-            print(f"   MAC Address: {device_id}")
+            print("   MAC Address: [REDACTED_MAC]")
             print(f"   Device Type: {device_type}")
             print(f"   Additional Value: {additional_value}")
             print(f"   Connection Status: {device.device_info.connected}")
@@ -125,7 +125,7 @@
             for topic in topics:
                 try:
                     await mqtt_client.subscribe(topic, message_handler)
-                    print(f"   ✅ Subscribed to: {mask_mac_in_topic(topic, device_id)}")
+                    print("   ✅ Subscribed to: [REDACTED_TOPIC_MAC]")
                 except Exception as e:
                     print(
                         f"   ⚠️ Failed to subscribe to device topic (type: {device_type}): {e}"
EOF
@@ -89,7 +89,7 @@
additional_value = device.device_info.additional_value

print(f"✅ Found device: {device.device_info.device_name}")
print(f" MAC Address: {device_id}")
print(" MAC Address: [REDACTED_MAC]")
print(f" Device Type: {device_type}")
print(f" Additional Value: {additional_value}")
print(f" Connection Status: {device.device_info.connected}")
@@ -125,7 +125,7 @@
for topic in topics:
try:
await mqtt_client.subscribe(topic, message_handler)
print(f" ✅ Subscribed to: {mask_mac_in_topic(topic, device_id)}")
print(" ✅ Subscribed to: [REDACTED_TOPIC_MAC]")
except Exception as e:
print(
f" ⚠️ Failed to subscribe to device topic (type: {device_type}): {e}"
Copilot is powered by AI and may make mistakes. Always verify output.
@eman eman merged commit f4761cf into main Oct 10, 2025
9 of 10 checks passed
@eman eman deleted the alert-autofix-44 branch October 15, 2025 18:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@eman