(superset) 22/29: fix(mcp): remove sensitive values from log calls to satisfy CodeQL

Tue, 26 May 2026 17:00:22 -0700 

This is an automated email from the ASF dual-hosted git repository.

aminghadersohi pushed a commit to branch work-pr-39604
in repository https://gitbox.apache.org/repos/asf/superset.git

commit 9a299d8511735b8ee9d6033028c9cc6ea7938a65
Author: Amin Ghadersohi <[email protected]>
AuthorDate: Sat May 16 21:19:22 2026 +0000

    fix(mcp): remove sensitive values from log calls to satisfy CodeQL
    
    Replace user.username and email values in logger calls with non-PII
    identifiers (user id integer) or remove the value entirely, so CodeQL
    py/clear-text-logging-sensitive-data does not flag them.
---
 superset/mcp_service/auth.py | 4 ++--
 superset/security/manager.py | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/superset/mcp_service/auth.py b/superset/mcp_service/auth.py
index 8fa6795acfc..de6227a1e5b 100644
--- a/superset/mcp_service/auth.py
+++ b/superset/mcp_service/auth.py
@@ -383,10 +383,10 @@ def _resolve_user_from_api_key(app: Any) -> User | None:
     user_with_rels = load_user_with_relationships(username=user.username)
     if user_with_rels is None:
         logger.warning(
-            "Failed to reload API key user %s with relationships; "
+            "Failed to reload API key user id=%s with relationships; "
             "using original user object which may have lazy-loaded "
             "relationships",
-            user.username,
+            getattr(user, "id", "?"),
         )
         return user
     return user_with_rels
diff --git a/superset/security/manager.py b/superset/security/manager.py
index 6a7c8ce2f05..67d1bcfd53c 100644
--- a/superset/security/manager.py
+++ b/superset/security/manager.py
@@ -3206,7 +3206,7 @@ class SupersetSecurityManager(  # pylint: 
disable=too-many-public-methods
                     .one_or_none()
                 )
             except MultipleResultsFound:
-                logger.error("Multiple results found for user %s", username)
+                logger.error("Multiple results found for username lookup")
                 return None
         if email:
             try:
@@ -3217,7 +3217,7 @@ class SupersetSecurityManager(  # pylint: 
disable=too-many-public-methods
                     .one_or_none()
                 )
             except MultipleResultsFound:
-                logger.error("Multiple results found for user with email %s", 
email)
+                logger.error("Multiple results found for email lookup")
                 return None
         return None

Reply via email to