jason810496 opened a new pull request, #67631: URL: https://github.com/apache/airflow/pull/67631
The HTTP access log middleware logged the raw query string without passing it through ``secrets_masker.redact()``. The decorator-layer audit log already masks request data; the access-log layer did not. A secret inadvertently passed as a query parameter (e.g. ``?password=foo`` or ``?token=bar``) was therefore written to the access log in plaintext. Parse the query string into ``(key, value)`` pairs and call ``secrets_masker.redact(value, key)`` per pair before logging. This matches the pattern already used in ``logging/decorators.py``: keys whose names are flagged sensitive by ``secrets_masker`` (``password``, ``token``, ``api_key``, …) have their values replaced with ``***``; values previously registered via ``mask_secret()`` are caught too. Non-sensitive keys are unchanged, blank values are preserved so log readers still see the parameter was present, and malformed query strings fall back to raw logging rather than silently dropping diagnostic information. (cherry picked from commit aa3b7d4) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
