Potential fix for code scanning alert no. 411: Clear-text logging of sensitive information

joel-rieke · github-advanced-security[bot] · web-flow · commit feacdecf1829 · 2025-07-28T12:56:30.000-07:00
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/sql/analyzer/analyzer.go b/sql/analyzer/analyzer.go
@@ -294,9 +294,19 @@ func (a *Analyzer) Log(msg string, args ...interface{}) {
 	if a != nil && a.Debug {
 		if len(a.contextStack) > 0 {
 			ctx := strings.Join(a.contextStack, "/")
-			log.Infof("%s: "+msg, append([]interface{}{ctx}, sanitizeArguments(args)...)...)
+			sanitizedArgs := sanitizeArguments(args)
+			if containsSensitiveData(sanitizedArgs) {
+				log.Warnf("Sensitive data detected in log arguments. Logging suppressed.")
+				return
+			}
+			log.Infof("%s: "+msg, append([]interface{}{ctx}, sanitizedArgs...)...)
 		} else {
-			log.Infof(msg, sanitizeArguments(args)...)
+			sanitizedArgs := sanitizeArguments(args)
+			if containsSensitiveData(sanitizedArgs) {
+				log.Warnf("Sensitive data detected in log arguments. Logging suppressed.")
+				return
+			}
+			log.Infof(msg, sanitizedArgs...)
 		}
 	}
 }
@@ -346,7 +356,10 @@ func sanitizeArguments(args []interface{}) []interface{} {
 				}
 				args[i] = mapSanitized
 			} else {
-				args[i] = "[REDACTED]"
+				// Catch-all for unhandled types
+				if isSensitive(fmt.Sprintf("%v", arg)) {
+					args[i] = "[REDACTED]"
+				}
 			}
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -294,9 +294,19 @@ func (a *Analyzer) Log(msg string, args ...interface{}) {`
`294`	`294`	`if a != nil && a.Debug {`
`295`	`295`	`if len(a.contextStack) > 0 {`
`296`	`296`	`ctx := strings.Join(a.contextStack, "/")`
`297`		`- log.Infof("%s: "+msg, append([]interface{}{ctx}, sanitizeArguments(args)...)...)`
	`297`	`+ sanitizedArgs := sanitizeArguments(args)`
	`298`	`+ if containsSensitiveData(sanitizedArgs) {`
	`299`	`+ log.Warnf("Sensitive data detected in log arguments. Logging suppressed.")`
	`300`	`+ return`
	`301`	`+ }`
	`302`	`+ log.Infof("%s: "+msg, append([]interface{}{ctx}, sanitizedArgs...)...)`
`298`	`303`	`} else {`
`299`		`- log.Infof(msg, sanitizeArguments(args)...)`
	`304`	`+ sanitizedArgs := sanitizeArguments(args)`
	`305`	`+ if containsSensitiveData(sanitizedArgs) {`
	`306`	`+ log.Warnf("Sensitive data detected in log arguments. Logging suppressed.")`
	`307`	`+ return`
	`308`	`+ }`
	`309`	`+ log.Infof(msg, sanitizedArgs...)`
`300`	`310`	`}`
`301`	`311`	`}`
`302`	`312`	`}`
`@@ -346,7 +356,10 @@ func sanitizeArguments(args []interface{}) []interface{} {`
`346`	`356`	`}`
`347`	`357`	`args[i] = mapSanitized`
`348`	`358`	`} else {`
`349`		`- args[i] = "[REDACTED]"`
	`359`	`+ // Catch-all for unhandled types`
	`360`	`+ if isSensitive(fmt.Sprintf("%v", arg)) {`
	`361`	`+ args[i] = "[REDACTED]"`
	`362`	`+ }`
`350`	`363`	`}`
`351`	`364`	`}`
`352`	`365`	`}`