You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2022/01/22 17:20:05 UTC

[GitHub] [airflow] JonnyWaffles commented on issue #16614: Connection password not being masked in default logging

JonnyWaffles commented on issue #16614:
URL: https://github.com/apache/airflow/issues/16614#issuecomment-1019312882


   Hi @potiuk and team, I am on 2.1.3 of Airflow and seeing the same. A simple connection test executing `hook.get_conn()` is logging my client_secret password when logging is set to INFO. I see the following code where the redactor does not receive a name for the key as a second argument, simply the text value of the password
   
   https://github.com/apache/airflow/blob/d5cafc901158ec4d10f86f6d0c5a4faba23bc41e/airflow/hooks/base.py#L69-L79
   
   If I test the redactor myself it returns my password
   
   ```python
   from airflow.utils.log.secrets_masker import _secrets_masker
   m = _secrets_masker()
   m.redact("<MY CLIENT SECRET VALUE>")
   ```
   I don't know if this is expected or not but my client secret (provided to the connection uri as a password) is being leaked when I run my simple connection test via pytest.
   
   I have not modified the log settings other than to set `AIRFLOW__LOGGING__LOGGING_LEVEL=INFO`.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org