Re: [PR] feat(secrets_masker): add minimum secret length and skip masking for common terms [airflow]

Fri, 04 Apr 2025 01:37:55 -0700 


github-advanced-security[bot] commented on code in PR #48791:
URL: https://github.com/apache/airflow/pull/48791#discussion_r2028367089


##########
task-sdk/src/airflow/sdk/execution_time/secrets_masker.py:
##########
@@ -346,12 +351,30 @@
             for k, v in secret.items():
                 self.add_mask(v, k)
         elif isinstance(secret, str):
-            if not secret or (self._test_mode and secret in 
SECRETS_TO_SKIP_MASKING_FOR_TESTS):
+            if not secret:
+                return
+
+            if self._test_mode and secret.lower() in 
SECRETS_TO_SKIP_MASKING_FOR_TESTS:
+                return
+
+            if secret.lower() in SECRETS_TO_SKIP_MASKING:
+                return
+
+            if len(secret) < MIN_SECRET_LENGTH:
+                log.warning(
+                    "Skipping masking for secret with name '%s' as it's too 
short (<%d chars)",
+                    name or "unknown",
+                    MIN_SECRET_LENGTH,

Review Comment:
   ## Clear-text logging of sensitive information
   
   This expression logs [sensitive data (secret)](1) as clear text.
   
   [Show more 
details](https://github.com/apache/airflow/security/code-scanning/455)



##########
task-sdk/src/airflow/sdk/execution_time/secrets_masker.py:
##########
@@ -346,12 +351,30 @@
             for k, v in secret.items():
                 self.add_mask(v, k)
         elif isinstance(secret, str):
-            if not secret or (self._test_mode and secret in 
SECRETS_TO_SKIP_MASKING_FOR_TESTS):
+            if not secret:
+                return
+
+            if self._test_mode and secret.lower() in 
SECRETS_TO_SKIP_MASKING_FOR_TESTS:
+                return
+
+            if secret.lower() in SECRETS_TO_SKIP_MASKING:
+                return
+
+            if len(secret) < MIN_SECRET_LENGTH:
+                log.warning(
+                    "Skipping masking for secret with name '%s' as it's too 
short (<%d chars)",
+                    name or "unknown",

Review Comment:
   ## Clear-text logging of sensitive information
   
   This expression logs [sensitive data (secret)](1) as clear text.
   This expression logs [sensitive data (secret)](2) as clear text.
   
   [Show more 
details](https://github.com/apache/airflow/security/code-scanning/454)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to