Feature/qa 8205 interop archiviazione documentale#874
Feature/qa 8205 interop archiviazione documentale#874giuseppe-veldorale wants to merge 70 commits intodevelopfrom
Conversation
…iazione-documentale # Conflicts: # interop-qa-tests/pom.xml
…mati e non dai relativi bucket S3
…REEMENT_SUSPENDED_BY_CONSUMER_EVENTS_LOG
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| S3Polling polling = new S3Polling(Region.EU_SOUTH_1, s3 -> { | ||
|
|
||
| log.info("Ricerco il file all'interno del bucket: {}", bucket.fullPath()); |
Check failure
Code scanning / CodeQL
Insertion of sensitive information into log files High test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 days ago
In general terms, the fix is to avoid writing the potentially sensitive full S3 path (including prefix/key derived from tokens and IDs) into the logs. Instead, we should either remove the dynamic path components from the log or replace them with a non-sensitive, high-level description (e.g., bucket role or base path only). This preserves observability without exposing full internal paths and identifiers.
The single best fix here is to modify the log.info call in ArchivingClient.findS3FileInInterval so that it no longer logs bucket.fullPath(). We can log a safer subset of information (for example, just bucket.base() and the BucketRole), or use a static description. This keeps the method behavior unchanged (it still uses the full path to perform S3 operations) but prevents the sensitive value from being sent to the logging sink.
Specifically:
- In
interop-qa-tests/src/test/java/it/pagopa/pn/interop/cucumber/steps/archiviazione_documentale/client/ArchivingClient.java, around the S3 polling lambda, change the line:log.info("Ricerco il file all'interno del bucket: {}", bucket.fullPath());
- Replace it with a variant that does not log
bucket.fullPath(), e.g.:log.info("Ricerco il file all'interno del bucket di base {}", bucket.base());
or just a static message likelog.info("Ricerco il file all'interno del bucket configurato");.
- No new imports or helper methods are needed; only this log statement needs updating.
| @@ -77,7 +77,7 @@ | ||
|
|
||
| S3Polling polling = new S3Polling(Region.EU_SOUTH_1, s3 -> { | ||
|
|
||
| log.info("Ricerco il file all'interno del bucket: {}", bucket.fullPath()); | ||
| log.info("Ricerco il file all'interno del bucket di base {}", bucket.base()); | ||
| List<S3Object> candidates = getLatestNObjects(s3, bucket, 50, start, end).stream() | ||
| .filter(obj -> isNotAlreadyChecked(obj.key(), checkedKeys)) | ||
| .toList(); |
3 participants
No description provided.