fix: redact secrets from summary database logs#307
Conversation
Signed-off-by: Harmke Alkemade <halkemade@nvidia.com>
Signed-off-by: Harmke Alkemade <halkemade@nvidia.com>
Signed-off-by: Harmke Alkemade <halkemade@nvidia.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Enterprise Run ID: 📒 Files selected for processing (4)
📜 Recent review details🧰 Additional context used📓 Path-based instructions (5)**/*.py📄 CodeRabbit inference engine (CONTRIBUTING.md)
Files:
src/aiq_agent/**/*.py📄 CodeRabbit inference engine (AGENTS.md)
Files:
**⚙️ CodeRabbit configuration file
Files:
{src/aiq_agent/knowledge/**,sources/**}⚙️ CodeRabbit configuration file
Files:
**/*test*.py📄 CodeRabbit inference engine (CONTRIBUTING.md)
Files:
🔇 Additional comments (4)
WalkthroughAdds a ChangesDB URL redaction in logging
Estimated code review effort: 1 (Trivial) | ~5 minutes Sequence Diagram(s)sequenceDiagram
participant Factory as configure_summary_db
participant Store as SummaryStore
participant Redactor as _redact_db_url
Factory->>Store: SummaryStore(db_url)
Store->>Redactor: _redact_db_url(db_url)
Redactor-->>Store: safe URL string
Store-->>Factory: logger.info(redacted URL)
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
fix: redact secrets from summary database logs
Overview
Summary Store logging truncated raw database URLs to 50 characters. PostgreSQL URLs place credentials near the beginning, so passwords could be written to application logs.
This change:
***..secrets.baselinemetadata after test line numbers changed; no new secret was added to the baseline.Validation
Result:
1 passed, 53 deselectedResult:
52 passed, 2 skippedResult:
All checks passed!Result:
3 files already formattedResult: all applicable hooks passed, including
detect-secrets.git commit -sor an equivalent sign-off.Where should reviewers start?
Start with
_redact_db_url()insrc/aiq_agent/knowledge/summary_store.py, then reviewtest_redact_db_url()intests/knowledge_layer_tests/test_summary_store.py.The main design decision is to remove all query parameters from the logged representation instead of maintaining a potentially incomplete allowlist of sensitive query keys.
Related Issues
Summary by CodeRabbit
Bug Fixes
Tests