Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| let has_token = if c.cloud_token.is_some() { "✓" } else { "-" }; | ||
| let has_key = if c.cloud_key.is_some() { "✓" } else { "-" }; | ||
| let has_secret = if c.cloud_secret.is_some() { "✓" } else { "-" }; | ||
| println!( |
Check failure
Code scanning / CodeQL
Cleartext logging of sensitive information High
This autofix suggestion was applied.
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 1 day ago
In general, to fix cleartext logging of sensitive information, you should avoid printing secrets or detailed information about them (including sometimes whether they exist) to stdout/stderr or to any logging sink. If information about credentials must be shown, prefer coarse, non-sensitive summaries and avoid revealing anything that an attacker could meaningfully abuse.
For this specific code, the JSON output already avoids exposing the secret value and only exposes a boolean has_secret. The flagged part is the human-readable table output where has_secret maps to "✓" or "-" and is then printed. To minimize sensitive metadata exposure without changing overall functionality, we can keep showing whether a cloud has a token or key, but stop indicating the presence of a secret. We will: (1) replace the "SECRET" column header with something neutral like "SECRET" but always show a placeholder such as "*", removing the dependency on c.cloud_secret; (2) remove the has_secret variable entirely and stop calculating c.cloud_secret.is_some(). This way, the CLI still lists clouds and shows other credential presence, but does not disclose whether a secret is configured.
Concretely in src/console/commands/cli/list.rs within the impl CallableTrait for ListCloudsCommand block:
- Remove the
has_secretlocal variable and associatedc.cloud_secret.is_some()call. - In the
println!that prints each row, replacehas_secretwith a constant placeholder string (e.g."*"). We keep the column count and formatting unchanged so existing consumers of the CLI output are unaffected in structure. - No new imports or external dependencies are required.
| @@ -316,7 +316,7 @@ | ||
| for c in &clouds { | ||
| let has_token = if c.cloud_token.is_some() { "✓" } else { "-" }; | ||
| let has_key = if c.cloud_key.is_some() { "✓" } else { "-" }; | ||
| let has_secret = if c.cloud_secret.is_some() { "✓" } else { "-" }; | ||
| let secret_indicator = "*"; | ||
| println!( | ||
| "{:<6} {:<24} {:<12} {:<10} {:<10} {:<10}", | ||
| c.id, | ||
| @@ -324,7 +324,7 @@ | ||
| &c.provider, | ||
| has_token, | ||
| has_key, | ||
| has_secret, | ||
| secret_indicator, | ||
| ); | ||
| } | ||
|
|
vsilent
committed this autofix suggestion 1 day ago.
… vals, dormant bug fix
Redeploy. FIX:Casbin policies use 'client' as the subject not numeric…
…nsitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
1 participant
No description provided.