Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| full_url = f"{url}?api_key={urllib.parse.quote(api_key)}" | ||
| keep_api_key = min(len(api_key) - 1, 10) | ||
| remove_from_end = len(api_key) - keep_api_key | ||
| print(f" GET {full_url[:-remove_from_end]}...") |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
In general, the fix is to avoid logging any representation of the API key (or other secrets) in clear text. For HTTP requests that include secrets in the URL or headers, logs should either omit those parts entirely or replace them with a fixed placeholder like [REDACTED].
For this specific file, the only problematic logging is the print(f" GET {full_url[:-remove_from_end]}...") line. The full_url string contains the API key in the query string. The current approach attempts to hide the tail of the key, but that still leaks part of it. The safest fix that preserves existing functionality is to log a version of the URL with the api_key value fully redacted. We can construct a new string, e.g. safe_url = f"{url}?api_key=[REDACTED]", and log that instead of full_url. This keeps the helpful information that a GET is being performed on a specific endpoint while ensuring no part of the actual key is printed.
Concretely:
- Edit
medcat-demo-app/tests/test_integration.pynear line 50. - Replace the calculation of
keep_api_key,remove_from_end, and the print that usesfull_url[:-remove_from_end]with a single creation of aredacted_url(or similar) that hardcodes[REDACTED]as theapi_keyvalue, and print that. - No new imports, methods, or global definitions are needed; this is a straightforward string change in place.
| @@ -45,9 +45,8 @@ | ||
|
|
||
| # ── 1. Call with key in query string ────────────────────────────────────── | ||
| full_url = f"{url}?api_key={urllib.parse.quote(api_key)}" | ||
| keep_api_key = min(len(api_key) - 1, 10) | ||
| remove_from_end = len(api_key) - keep_api_key | ||
| print(f" GET {full_url[:-remove_from_end]}...") | ||
| redacted_url = f"{url}?api_key=[REDACTED]" | ||
| print(f" GET {redacted_url}...") | ||
|
|
||
| try: | ||
| req = urllib.request.Request(full_url) |
There was a problem hiding this comment.
same as above mentioned by Mart
… does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
…-keep-model-distribution
| full_url = f"{url}?api_key={urllib.parse.quote(api_key)}" | ||
| keep_api_key = min(len(api_key) - 1, 10) | ||
| remove_from_end = len(api_key) - keep_api_key | ||
| print(f" GET {full_url[:-remove_from_end]}...") |
There was a problem hiding this comment.
same as above mentioned by Mart
mart-r
deleted the
cleanup/medcat-demo/CU-869c8r073-remove-demo-keep-model-distribution
branch
3 participants
This PR aims to remo the "demo" capabilities from the
medcat-demo-webapp(sub)project. It should only keep the model distribution parts of it (i.e downloading openly available models if/when you have permission).This also means the "demo" doesn't need
medcatanymore since it's just about.zipfile distribution.PS:
I think it may be worth renaming the folder as well. Might do that at the end of the PR along with the relevant workflow changes.Now done as part of this PR.