Skip to content

Potential fix for code scanning alert no. 31: Clear-text logging of sensitive information#58

Merged
johnteee merged 1 commit into
mainfrom
alert-autofix-31
Jun 5, 2026
Merged

Potential fix for code scanning alert no. 31: Clear-text logging of sensitive information#58
johnteee merged 1 commit into
mainfrom
alert-autofix-31

Conversation

@johnteee

@johnteee johnteee commented Jun 5, 2026

Copy link
Copy Markdown
Member

Potential fix for https://github.com/TeaEntityLab/teaAgent/security/code-scanning/31

Best fix: add a strict terminal allowlist sanitizer immediately before logging, so only safe primitive/structural fields remain and any unknown or potentially sensitive keys/values are redacted. This keeps current functionality (JSON diagnostics output) while making the sink provably safer for static analysis and runtime security.

In teaagent/cli/_handlers/_doctor.py:

  1. Add a new helper (near existing sanitizers) that recursively sanitizes output with a conservative policy:
    • redact values for sensitive-looking keys/env names;
    • redact suspicious strings (existing _looks_like_sensitive_string);
    • preserve benign primitives and structure.
  2. In print_json, run this strict sanitizer as the final pass before json.dumps.

No new dependencies are required; reuse existing helpers and constants.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

…ensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@johnteee johnteee marked this pull request as ready for review June 5, 2026 15:28
@johnteee johnteee merged commit f211faa into main Jun 5, 2026
7 of 15 checks passed
@johnteee johnteee deleted the alert-autofix-31 branch June 5, 2026 15:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant