Skip to content

python false positive Clear-text logging of sensitive information #13538

New issue
New issue
Open
Open
python false positive Clear-text logging of sensitive information#13538
Labels
false-positive
@drobert

Description

@drobert
drobert
opened on Jun 22, 2023

Description of the false positive

I have a python aws lambda that returns a json payload with correctly identified sensitive information (along with metadata like status code, etc.). I have a 'log response' function that specifically logs metadata and no sensitive data, but codeql is reporting that sensitive non-metadata fields are being logged.

Code samples or links to source code

def main():
  user_creds = ... // sensitive information here
  return write_access_log({
    "statusCode": 200,
    "body": {
      "dry_run": False,
      # actual sensitive information here
      "credentials": {
        "db": {
          "username": user_creds.username,
          "privatekey": user_creds.encrypted_private_key,
          "passphrase": user_creds.private_key_passphrase,
        }
      }
    }
  })
  
def write_access_log(resp):
  if "statusCode" in resp:
    dry_run = (
      str(resp["body"]["dry_run"])
      if resp.get("body", {}).get("dry_run") is not None
      else "unknown"
    )
    payload = {"statusCode": int(resp["statusCode"]), "dry_run": dry_run}
    msg = json.dumps(payload)
    # Flagged as 'clear-text logging of sensitive information', showing a path that includes 
    # "passphrase" from resp which is not logged
    logger.info(msg)
        
  return resp

Metadata

Metadata

Assignees

No one assigned

    Labels

    false-positive

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions