Potential fix for code scanning alert no. 254: Clear-text logging of sensitive information

joel-rieke · github-advanced-security[bot] · web-flow · commit 544862289951 · 2025-07-15T15:21:57.000-07:00
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/sql/analyzer/analyzer.go b/sql/analyzer/analyzer.go
@@ -291,15 +291,35 @@ func NewDefault(provider sql.DatabaseProvider) *Analyzer {
 // if the analyzer is in debug mode.
 func (a *Analyzer) Log(msg string, args ...interface{}) {
 	if a != nil && a.Debug {
+		sanitizedArgs := sanitizeArguments(args)
 		if len(a.contextStack) > 0 {
 			ctx := strings.Join(a.contextStack, "/")
-			log.Infof("%s: "+msg, append([]interface{}{ctx}, args...)...)
+			log.Infof("%s: "+msg, append([]interface{}{ctx}, sanitizedArgs...)...)
 		} else {
-			log.Infof(msg, args...)
+			log.Infof(msg, sanitizedArgs...)
 		}
 	}
 }
 
+func sanitizeArguments(args []interface{}) []interface{} {
+	for i, arg := range args {
+		// Example sanitization logic: replace sensitive data with placeholder
+		if isSensitive(arg) {
+			args[i] = "[REDACTED]"
+		}
+	}
+	return args
+}
+
+func isSensitive(arg interface{}) bool {
+	// Add logic to identify sensitive data (e.g., passwords)
+	// This may involve checking types or specific fields
+	if str, ok := arg.(string); ok && strings.Contains(strings.ToLower(str), "password") {
+		return true
+	}
+	return false
+}
+
 // LogNode prints the node given if Verbose logging is enabled.
 func (a *Analyzer) LogNode(n sql.Node) {
 	if a != nil && n != nil && a.Verbose {
