potiuk opened a new pull request, #67498: URL: https://github.com/apache/airflow/pull/67498
`HttpAccessLogMiddleware` logged the raw query string without passing it through `secrets_masker.redact()`. The decorator-layer audit log already masks request data (`logging/decorators.py`); the access-log layer did not. A secret inadvertently passed as a query parameter — e.g. `?password=foo` or `?token=bar` — was therefore written to the access log in plaintext. Reported as F-015 in the [`apache/tooling-agents` L3 ASVS sweep `0920c77`](https://github.com/apache/tooling-agents/issues/23). ## Change Add a `_redact_query_string()` helper that parses the query string into `(key, value)` pairs and runs `secrets_masker.redact(value, key)` per pair, then re-encodes. This matches the pattern in `logging/decorators.py`: keys whose names are flagged sensitive by `secrets_masker` (`password`, `token`, `api_key`, …) have their values replaced with `***`; values previously registered via `mask_secret()` are caught too. Non-sensitive keys are unchanged. Blank values are preserved so log readers still see the parameter was present. Malformed query strings fall back to raw logging rather than silently dropping diagnostic information. ## Test plan - [x] Unit tests for `_redact_query_string` cover: sensitive-key value redaction, safe pairs pass through, empty/blank values preserved. - [x] Integration test goes through `HttpAccessLogMiddleware` end-to-end: a request with `?password=...` is captured by structlog with the value masked. - [x] Uses `@pytest.mark.enable_redact` so the test-plugin pass-through patch of `SecretsMasker.redact` is bypassed for the redaction-asserting cases. - [x] `prek run ruff` clean. - [x] `prek run mypy-airflow-core` clean. - [x] Full `test_http_access_log.py` suite: 11 passed. --- ##### Was generative AI tooling used to co-author this PR? - [X] Yes — Claude Code (Opus 4.7) Generated-by: Claude Code (Opus 4.7) following [the guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
