Mask API tokens in log messages

haacked · haacked · commit 171fabb01da8 · 2025-12-02T12:00:01.000-08:00
Keep first 10 chars visible for identification while hiding the rest.
Addresses CodeQL security warning about logging sensitive data.
diff --git a/posthog/request.py b/posthog/request.py
@@ -1,5 +1,6 @@
 import json
 import logging
+import re
 from dataclasses import dataclass
 from datetime import date, datetime
 from gzip import GzipFile
@@ -14,6 +15,11 @@
 from posthog.version import VERSION
 
 
+def _mask_tokens_in_url(url: str) -> str:
+    """Mask token values in URLs for safe logging, keeping first 10 chars visible."""
+    return re.sub(r"(token=)([^&]{10})[^&]*", r"\1\2...", url)
+
+
 @dataclass
 class GetResponse:
     """Response from a GET request with ETag support."""
@@ -196,15 +202,17 @@ def get(
 
     res = _session.get(full_url, headers=headers, timeout=timeout)
 
+    masked_url = _mask_tokens_in_url(full_url)
+
     # Handle 304 Not Modified
     if res.status_code == 304:
-        log.debug(f"GET {full_url} returned 304 Not Modified")
+        log.debug(f"GET {masked_url} returned 304 Not Modified")
         response_etag = res.headers.get("ETag")
         return GetResponse(data=None, etag=response_etag or etag, not_modified=True)
 
     # Handle normal response
     data = _process_response(
-        res, success_message=f"GET {full_url} completed successfully"
+        res, success_message=f"GET {masked_url} completed successfully"
     )
     response_etag = res.headers.get("ETag")
     return GetResponse(data=data, etag=response_etag, not_modified=False)
diff --git a/posthog/test/test_request.py b/posthog/test/test_request.py
@@ -11,6 +11,7 @@
     DatetimeSerializer,
     GetResponse,
     QuotaLimitError,
+    _mask_tokens_in_url,
     batch_post,
     decide,
     determine_server_host,
@@ -19,6 +20,40 @@
 from posthog.test.test_utils import TEST_API_KEY
 
 
+@pytest.mark.parametrize(
+    "url, expected",
+    [
+        # Token with params after - masks keeping first 10 chars
+        (
+            "https://example.com/api/flags?token=phc_abc123xyz789&send_cohorts",
+            "https://example.com/api/flags?token=phc_abc123...&send_cohorts",
+        ),
+        # Token at end of URL
+        (
+            "https://example.com/api/flags?token=phc_abc123xyz789",
+            "https://example.com/api/flags?token=phc_abc123...",
+        ),
+        # No token - unchanged
+        (
+            "https://example.com/api/flags?other=value",
+            "https://example.com/api/flags?other=value",
+        ),
+        # Short token (<10 chars) - unchanged
+        (
+            "https://example.com/api/flags?token=short",
+            "https://example.com/api/flags?token=short",
+        ),
+        # Exactly 10 char token - gets ellipsis
+        (
+            "https://example.com/api/flags?token=1234567890",
+            "https://example.com/api/flags?token=1234567890...",
+        ),
+    ],
+)
+def test_mask_tokens_in_url(url, expected):
+    assert _mask_tokens_in_url(url) == expected
+
+
 class TestRequests(unittest.TestCase):
     def test_valid_request(self):
         res = batch_post(
