Conversation
password check is there, but don't know if it works
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| log.info("user logged in!") | ||
| return redirect("/", code=301) | ||
| else: | ||
| log.warning(f"someone failed a login!\nusername: {u["username"]}\npassword: {u["password"]}") |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
General fix:
To fix the problem, the logging code at line 192 should be modified to exclude the password from the log entry. Instead, it can log only non-sensitive information such as the username and a generic failure message. Alternatively, if more detailed context is desired (without logging sensitive data), information such as the user's IP address, timestamp, or the nature of the failure can be logged—but never the password itself.
Specific fix for this code:
Edit line 192 in app.py so that the log entry does not include u["password"]. Only the username (if you wish to keep that) and a message about the failed login should be logged. The change should be within the login route, affecting only the logging call.
Required changes:
- Edit only the relevant log statement (line 192) to remove the password from the log message.
| @@ -189,7 +189,7 @@ | ||
| log.info("user logged in!") | ||
| return redirect("/", code=301) | ||
| else: | ||
| log.warning(f"someone failed a login!\nusername: {u["username"]}\npassword: {u["password"]}") | ||
| log.warning(f"someone failed a login!\nusername: {u['username']}") | ||
| abort(403) | ||
| elif request.method == "DELETE": | ||
| session["user"] = None |
1 participant
No description provided.