dosubot[bot] commented on issue #35355: URL: https://github.com/apache/superset/issues/35355#issuecomment-3354745953
<!-- Greeting --> Hi @Devika7733! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the superset team. <!-- Answer --> This is expected behavior in Superset 5.0.0: passwords and other sensitive fields included in the dashboard import API request (like the passwords form field) are logged in plaintext in the action log. This happens because the logging system collects all form data from the request and stores it without redaction or filtering—there is no built-in mechanism or configuration to mask or exclude sensitive fields like passwords from these logs. The relevant code is in the event_logger decorator and the collect_request_payload function, which gathers all request data for logging, and the DBEventLogger, which writes it to the database logs. The PASSWORD_MASK constant and redact_sensitive function exist in the codebase, but they are not applied to action log payloads by default, so secrets passed in API requests will appear in logs if included in the payload [citation](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/utils/log.py). There is no configuration or environment variable to control this in Superset 5.0.0 [citation](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/dashboards/api.py). This is a known security concern, and similar issues have been reported for other import operations (like import_datasources), but no official fix or workaround is implemented yet [citation](https://github.com/apache/superset/issues/31983). If you need to avoid exposing passwords in logs, the only current options are to customize the Superset codebase to mask or filter sensitive fields before logging, or to post-process logs to redact secrets after the fact. There is no built-in or officially recommended solution for this in the dashboard import API. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/153956ab-16ef-41e0-8a65-8dcab281f0e2?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/153956ab-16ef-41e0-8a65-8dcab281f0e2?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/153956ab-16ef-41e0-8a65-8dcab281f0e2?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/153956ab-16ef-41e0-8a65-8dcab281f0e2?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/153956ab-16ef-41e0-8a65-8dcab281f0e2?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/153956ab-16ef-41e0-8a65-8dcab281f0e2?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/153956ab-16ef-41e0-8a65-8dcab281f0e2?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=githu b) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/35355) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
