You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by as...@apache.org on 2021/06/22 13:45:55 UTC

[airflow] 05/38: Ensure that we don't try to mask empty string in logs (#16057)

This is an automated email from the ASF dual-hosted git repository.

ash pushed a commit to branch v2-1-test
in repository https://gitbox.apache.org/repos/asf/airflow.git

commit c47171be467fba8a5dee626e7c2e92b41fe1034e
Author: Ash Berlin-Taylor <as...@firemirror.com>
AuthorDate: Tue May 25 19:31:22 2021 +0100

    Ensure that we don't try to mask empty string in logs (#16057)
    
    Although `Connection.password` being empty was guarded against, there
    are other possible cases (such as an extra field) that wasn't guarded
    against, which ended up with this in the logs:
    
        WARNING - ***-***-***-*** ***L***o***g***g***i***n***g*** ***e***r***r***o***r*** ***-***-***-***
    
    Oops!
    
    (cherry picked from commit 8814a59a5bf54dd17aef21eefd0900703330c22c)
---
 airflow/utils/log/secrets_masker.py    | 2 ++
 tests/utils/log/test_secrets_masker.py | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/airflow/utils/log/secrets_masker.py b/airflow/utils/log/secrets_masker.py
index 73a2aef..6df8d39 100644
--- a/airflow/utils/log/secrets_masker.py
+++ b/airflow/utils/log/secrets_masker.py
@@ -214,6 +214,8 @@ class SecretsMasker(logging.Filter):
             for k, v in secret.items():
                 self.add_mask(v, k)
         elif isinstance(secret, str):
+            if not secret:
+                return
             pattern = re.escape(secret)
             if pattern not in self.patterns and (not name or should_hide_value_for_key(name)):
                 self.patterns.add(pattern)
diff --git a/tests/utils/log/test_secrets_masker.py b/tests/utils/log/test_secrets_masker.py
index 1146bce..8c88bdd 100644
--- a/tests/utils/log/test_secrets_masker.py
+++ b/tests/utils/log/test_secrets_masker.py
@@ -156,6 +156,8 @@ class TestSecretsMasker:
             # When the "sensitive value" is a dict, don't mask anything
             # (Or should this be mask _everything_ under it ?
             ("api_key", {"other": "innoent"}, set()),
+            (None, {"password": ""}, set()),
+            (None, "", set()),
         ],
     )
     def test_mask_secret(self, name, value, expected_mask):