This is an automated email from the ASF dual-hosted git repository. aminghadersohi pushed a commit to branch work-pr-39604 in repository https://gitbox.apache.org/repos/asf/superset.git
commit 434330674ec1698ed948ad69fe57bbeeb38a7e72 Author: Amin Ghadersohi <[email protected]> AuthorDate: Fri May 15 00:02:31 2026 +0000 fix(mcp): remove sensitive values from log calls to satisfy CodeQL - Drop g.user.username from the permission-denied warning (CodeQL py/clear-text-logging-sensitive-data flags .username) - Replace the parametrized debug log that passed API_KEY_PASSTHROUGH_CLAIM (variable name contains KEY) with a static message --- superset/mcp_service/auth.py | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/superset/mcp_service/auth.py b/superset/mcp_service/auth.py index 61361657000..68b3fd6db68 100644 --- a/superset/mcp_service/auth.py +++ b/superset/mcp_service/auth.py @@ -142,16 +142,14 @@ def check_tool_permission(func: Callable[..., Any], *, log_denial: bool = True) if not has_permission: if log_denial: logger.warning( - "Permission denied for user %s: %s on %s (tool: %s)", - g.user.username, + "Permission denied: %s on %s (tool: %s)", permission_str, class_permission_name, func.__name__, ) else: logger.debug( - "Tool hidden for user %s: %s on %s (tool: %s)", - g.user.username, + "Tool hidden: %s on %s (tool: %s)", permission_str, class_permission_name, func.__name__, @@ -280,9 +278,8 @@ def _resolve_user_from_jwt_context(app: Any) -> User | None: ) return None logger.debug( - "Ignoring %s claim on non-API-key token (client_id=%r); processing as JWT", - API_KEY_PASSTHROUGH_CLAIM, - getattr(access_token, "client_id", None), + "API key passthrough claim present but client_id is not 'api_key';" + " processing as JWT" ) # Use configurable resolver or default
