comments

hectorcast-db · hectorcast-db · commit 8d5cd79b8afa · 2025-10-07T13:36:24.000Z
diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md
@@ -4,10 +4,10 @@
 
 ### New Features and Improvements
 
-* Add native support for authentication through Azure DevOps OIDC
+* Add native support for authentication through Azure DevOps OIDC.
 
 ### Bug Fixes
-* Fix bearer tokens logged in exception messages
+* Fix a security issue that resulted in bearer tokens being logged in exception messages.
 
 ### Documentation
 
diff --git a/databricks/sdk/errors/parser.py b/databricks/sdk/errors/parser.py
@@ -37,7 +37,7 @@ def _unknown_error(response: requests.Response, debug_headers: bool = False) ->
     This error message includes a link to the issue tracker for the SDK for users to report the issue to us.
 
     :param response: The response object from the API request.
-    :param debug_headers: Whether to include headers in the request log. Defaults to False for security.
+    :param debug_headers: Whether to include headers in the request log. Defaults to False to defensively handle cases where request headers might contain sensitive data (e.g. tokens). 
     """
     request_log = RoundTrip(response, debug_headers=debug_headers, debug_truncate_bytes=10 * 1024).generate()
     return (
diff --git a/tests/test_errors.py b/tests/test_errors.py
@@ -375,7 +375,7 @@ def test_get_api_error(test_case: TestCase):
 
 def test_debug_headers_disabled_by_default():
     """Test that debug_headers=False by default does not leak sensitive headers in unparseable errors."""
-    # Create a response with Authorization header that cannot be parsed
+    # Create a response with Authorization header that cannot be parsed.
     resp = requests.Response()
     resp.status_code = 400
     resp.reason = "Bad Request"
@@ -388,7 +388,7 @@ def test_debug_headers_disabled_by_default():
     error = parser.get_api_error(resp)
 
     error_message = str(error)
-    # Verify that sensitive tokens are NOT in the error message
+    # Verify that sensitive tokens are NOT in the error message.
     assert "secret-token-12345" not in error_message
     assert "secret-azure-token-67890" not in error_message
     assert "Authorization" not in error_message
@@ -397,7 +397,7 @@ def test_debug_headers_disabled_by_default():
 
 def test_debug_headers_enabled_shows_headers():
     """Test that debug_headers=True includes headers in unparseable error messages."""
-    # Create a response with Authorization header that cannot be parsed
+    # Create a response with Authorization header that cannot be parsed.
     resp = requests.Response()
     resp.status_code = 400
     resp.reason = "Bad Request"
@@ -410,7 +410,7 @@ def test_debug_headers_enabled_shows_headers():
     error = parser.get_api_error(resp)
 
     error_message = str(error)
-    # Verify that headers ARE included when explicitly enabled
+    # Verify that headers ARE included when explicitly enabled.
     assert "Authorization" in error_message
     assert "debug-token-12345" in error_message
     assert "X-Databricks-Azure-SP-Management-Token" in error_message
