Skip to content

Remove query parameters from logs #1997

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: develop
Choose a base branch
from
Open

Remove query parameters from logs #1997

wants to merge 9 commits into from

Conversation

bddap
Copy link

@bddap bddap commented Aug 20, 2025
edited
Loading

fixes #1996

Full disclosure, I had github copilot implement these changes. (been trying out the agent feature, it's pretty neat). I have personally reviewed for slop and the code looks good. Even the pr description below is true, it actually did run Manual verification and the unit tests. context

BEGIN COPILOT'S OWN DESCRIPTION (fact-checked by me)

Description

This PR fixes a security vulnerability where sensitive data (passwords, tokens, API keys, personal information) was being exposed in debug logs through SQL query parameters. The fix removes parameter values from debug logging while preserving the SQL query structure for debugging purposes.

Changes made:

  • Updated logging statements in 7 backend database client files (21 total logging calls)
  • Changed from self.log.debug("%s: %s", query, values) to self.log.debug("%s", query)
  • Affects: MySQL, SQLite, PostgreSQL/psycopg, ODBC, Oracle, MSSQL, and AsyncPG backends

Before:

DEBUG:tortoise.db_client:INSERT INTO "users" ("username","password_hash","email") VALUES (?,?,?): ['admin', 'super_secret_hash_123', 'admin@example.com']

After:

DEBUG:tortoise.db_client:INSERT INTO "users" ("username","password_hash","email") VALUES (?,?,?)

Motivation and Context

Fixes #1996

SQL query parameters often contain sensitive information that should never be logged:

  • User passwords and password hashes
  • Authentication tokens and API keys
  • Personal identifiable information (emails, names, addresses)
  • Business-critical data that could be exposed in log files

This creates a significant security risk, especially in:

  • Development environments where debug logging is commonly enabled
  • Production systems where logs might be accidentally enabled or collected
  • Shared development environments where logs could be accessed by unauthorized users

The current implementation logs both the SQL structure AND the parameter values, which unnecessarily exposes this sensitive data.

How Has This Been Tested?

  1. Added comprehensive test suite (tests/test_logging_security.py):

    • Validates that sensitive data (usernames, emails, bio information) is NOT exposed in debug logs
    • Confirms SQL query structure is still logged for debugging purposes
    • Tests INSERT, UPDATE, and SELECT operations
    • Uses proper log capture mechanism to verify actual log output

  2. Manual verification:

    • Tested with debug logging enabled across different database backends
    • Confirmed that SQL queries are still logged (maintaining debugging capability)
    • Verified that parameter values are completely absent from log output

  3. Existing test compatibility:

    • All existing tests continue to pass (no breaking changes)
    • The fix is purely additive to security without affecting functionality

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have added the changelog accordingly.
  • I have read the CONTRIBUTING document.
  • I have added tests to cover my changes.
  • All new and existing tests passed.

Notes on checklist:

  • Code style: Changes follow existing patterns and are minimal/surgical
  • Documentation: No documentation changes needed - this is an internal security fix that doesn't change the public API
  • Changelog: Added entry for this security fix under the "Fixed" section (commit 79606f1)
  • Contributing: Followed all guidelines from docs/CONTRIBUTING.rst including makefile usage and testing requirements
  • Tests: Added tests/test_logging_security.py with comprehensive coverage of the security fix
  • Test results: All existing functionality preserved, new security test validates the fix works correctly

Copilot AI and others added 5 commits August 20, 2025 19:20
@Copilot
Initial plan
e8b20e0
@Copilot @bddap
Fix issue tortoise#1996: Remove sensitive query parameters from debug…
bbdf19b 
… logging

- Updated all backend client files to log only SQL queries without parameter values
- Changed logging from `self.log.debug("%s: %s", query, values)` to `self.log.debug("%s", query)`
- Affects 7 backend clients: MySQL, SQLite, PostgreSQL (psycopg), ODBC, Oracle, MSSQL, AsyncPG
- Prevents exposure of sensitive data like passwords, tokens, etc. in debug logs
- Maintains debugging capability by still logging the SQL query structure

Co-authored-by: bddap <2702854+bddap@users.noreply.github.com>
@Copilot @bddap
Add comprehensive test for query parameter logging security fix
e8ff19e 
Co-authored-by: bddap <2702854+bddap@users.noreply.github.com>
@Copilot @bddap
Add changelog entry for security fix tortoise#1996
79606f1 
Co-authored-by: bddap <2702854+bddap@users.noreply.github.com>
@Copilot @bddap
Fix changelog structure and format test file per review feedback
9a7c34e 
Co-authored-by: bddap <2702854+bddap@users.noreply.github.com>
@bddap bddap marked this pull request as ready for review August 20, 2025 21:13
bddap
bddap commented Aug 20, 2025
View reviewed changes
CHANGELOG.rst Outdated
Comment on lines 13 to 17
0.25.2
------
Fixed
^^^^^
- Remove sensitive query parameters from debug logging to prevent exposure of passwords, tokens, and personal data (#1996)
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Want this too be added to an ## [Unreleased] section? Keep A Changelog style?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, there is already a section with unreleased version in the newer version of CHANGELOG

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added my change to that new section.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

814974b

@codspeed-hq CodSpeed HQ
Copy link

codspeed-hq bot commented Aug 22, 2025
edited
Loading

CodSpeed Performance Report

Merging #1997 will not alter performance

Comparing bddap:copilot/fix-056ef898-c331-4fbb-a571-d445599ed67f (814974b) with develop (cbd1fb5)

Summary

✅ 16 untouched benchmarks

@coveralls
Copy link

coveralls commented Aug 22, 2025
edited
Loading

Pull Request Test Coverage Report for Build 17163515135

Details

  • 20 of 21 (95.24%) changed or added relevant lines in 7 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 89.637%
Changes Missing Coverage Covered Lines Changed/Added Lines %
tortoise/backends/oracle/client.py 0 1 0.0%
Totals Coverage Status
Change from base Build 17108761905: 0.0%
Covered Lines: 6676
Relevant Lines: 7266
💛 - Coveralls

@Copilot @bddap
Use [Unreleased] section in changelog following Keep A Changelog format
5b9280e 
Co-authored-by: bddap <2702854+bddap@users.noreply.github.com>
@bddap bddap marked this pull request as draft August 22, 2025 18:02
Copilot AI and others added 3 commits August 22, 2025 18:06
@Copilot @bddap
Fix changelog structure: Move [Unreleased] section to top level
ddbcc72 
Co-authored-by: bddap <2702854+bddap@users.noreply.github.com>
@Copilot
Merge remote-tracking branch 'upstream/develop' into copilot/fix-056e…
d679300 
…f898-c331-4fbb-a571-d445599ed67f

# Conflicts:
#	CHANGELOG.rst
@bddap
use the repo's current changlog style
814974b
@bddap bddap marked this pull request as ready for review August 22, 2025 18:54
@bddap
Copy link
Author

bddap commented Sep 2, 2025

I see you approved, @henadzit . This pr should be good to merge now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@henadzit henadzit henadzit approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

remove query parameters from logs
4 participants
@bddap @coveralls @henadzit @Copilot