Skip to content

Commit 6f60fb1

Browse files
committed
Fix CodeQL alert for clear-text logging of sensitive info
Rename password_type to encoding_type to make it clear that we're logging metadata about the encoding scheme (plain/age/base64+age), not actual sensitive password content. Fixes CodeQL alert: py/clear-text-logging-sensitive-data
1 parent be67b87 commit 6f60fb1

1 file changed

Lines changed: 12 additions & 12 deletions

File tree

  • operations-manager/python/opi/utils

operations-manager/python/opi/utils/age.py

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -246,14 +246,14 @@ async def decrypt_password_smart(password: str, private_key: str | None) -> str:
246246
if not password:
247247
return password
248248

249-
password_type, content = parse_password_with_prefix(password)
249+
encoding_type, content = parse_password_with_prefix(password)
250250

251-
logger.debug(f"Password type detected: {password_type}")
251+
logger.debug(f"Encoding type detected: {encoding_type}")
252252

253-
if password_type == "plain":
253+
if encoding_type == "plain":
254254
return content
255255

256-
elif password_type == "age":
256+
elif encoding_type == "age":
257257
if not private_key:
258258
raise ValueError("Age encrypted password found but no private key available")
259259

@@ -262,7 +262,7 @@ async def decrypt_password_smart(password: str, private_key: str | None) -> str:
262262
raise ValueError("Failed to decrypt Age password")
263263
return decrypted
264264

265-
elif password_type == "base64+age":
265+
elif encoding_type == "base64+age":
266266
if not private_key:
267267
raise ValueError("Base64+Age encrypted password found but no private key available")
268268

@@ -279,7 +279,7 @@ async def decrypt_password_smart(password: str, private_key: str | None) -> str:
279279
except Exception as e:
280280
raise ValueError(f"Failed to decode base64 content: {e}") from e
281281

282-
raise ValueError(f"Unknown password type: {password_type}")
282+
raise ValueError(f"Unknown encoding type: {encoding_type}")
283283

284284

285285
def get_project_public_key(project_config: dict) -> str | None:
@@ -355,14 +355,14 @@ def decrypt_password_smart_sync(password: str, private_key: str | None) -> str:
355355
if not password:
356356
raise ValueError("Missing password")
357357

358-
password_type, content = parse_password_with_prefix(password)
358+
encoding_type, content = parse_password_with_prefix(password)
359359

360-
logger.debug(f"Password type detected: {password_type}")
360+
logger.debug(f"Encoding type detected: {encoding_type}")
361361

362-
if password_type == "plain":
362+
if encoding_type == "plain":
363363
return content
364364

365-
elif password_type == "age":
365+
elif encoding_type == "age":
366366
if not private_key:
367367
raise ValueError("Age encrypted password found but no private key available")
368368

@@ -371,7 +371,7 @@ def decrypt_password_smart_sync(password: str, private_key: str | None) -> str:
371371
raise ValueError("Failed to decrypt Age password, returning original")
372372
return decrypted
373373

374-
elif password_type == "base64+age":
374+
elif encoding_type == "base64+age":
375375
logger.debug("Processing base64-encoded Age encrypted password")
376376
if not private_key:
377377
raise ValueError("Base64+Age encrypted password found but no private key available")
@@ -384,4 +384,4 @@ def decrypt_password_smart_sync(password: str, private_key: str | None) -> str:
384384
raise ValueError("Failed to decrypt base64+Age password")
385385
return decrypted
386386

387-
raise ValueError(f"Unknown password type: {password_type}")
387+
raise ValueError(f"Unknown encoding type: {encoding_type}")

0 commit comments

Comments
 (0)