Skip to content

Fix: check_connection and enhance the authorization URL#12298

Merged
setohe0909 merged 3 commits into
feature/hubspot-oauth-fixfrom
fix/hubspot-oauth-query
Mar 18, 2026
Merged

Fix: check_connection and enhance the authorization URL#12298
setohe0909 merged 3 commits into
feature/hubspot-oauth-fixfrom
fix/hubspot-oauth-query

Conversation

@setohe0909

@setohe0909 setohe0909 commented Mar 17, 2026

Copy link
Copy Markdown
Contributor

Description

Please include a summary of the change and the issue it solves.

Fixes #issue_number

Type of change

(Please delete options that are not relevant)

  • 🐛 Bug fix (non-breaking change which fixes an issue)
  • ⚡ New feature (non-breaking change which adds functionality)
  • 📢 Breaking change (fix or feature that would cause existing functionality not to work as expected)
  • 📄 This change requires a documentation update

Verification Process

To ensure the changes are working as expected:

  • Test Location: Specify the URL or path for testing.
  • Verification Steps: Outline the steps or queries needed to validate the change. Include any data, configurations, or actions required to reproduce or see the new functionality.

Additional Media:

  • I have attached a brief loom video or screenshots showcasing the new functionality or change.

Checklist:

  • My code follows the style guidelines(PEP 8) of MindsDB.
  • I have appropriately commented on my code, especially in complex areas.
  • Necessary documentation updates are either made or tracked in issues.
  • Relevant unit and integration tests are updated or added.

Confidence Score: 1/5 - Blocking Issues

  • Critical security vulnerability: client_secret is embedded in the OAuth state URL parameter, exposing it in browser history, server logs, and HTTP Referer headers — this is a severe credential leak that must be fixed before merging.
  • Correctness bug: self.handler_storage can be None (no default in kwargs.get), causing AttributeError when calling .encrypted_json_get() — this will crash in production environments where handler_storage is not provided.
  • These are not style/nit issues — they represent a critical security flaw and a runtime crash scenario, both of which are blocking issues.
Files requiring special attention
  • mindsdb/integrations/handlers/hubspot_handler/hubspot_oauth.py
  • mindsdb/integrations/handlers/hubspot_handler/hubspot_handler.py

@setohe0909 setohe0909 requested a review from tino097 March 17, 2026 14:12
@setohe0909 setohe0909 self-assigned this Mar 17, 2026
Comment on lines +86 to +97
{
"datasource_name": self.datasource_name,
"integrations_name": "hubspot",
"client_id": self.client_id,
"client_secret": self.client_secret,
"redirect_uri": redirect_uri,
"scope": " ".join(self.scopes) if self.scopes else "oauth",
"optional_scope": " ".join(self.optional_scopes) if self.optional_scopes else "",
}
)
auth_url += f"&state={urllib.parse.quote(state_data)}"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correctness: The client_secret is embedded in the state query parameter of the auth URL, which will appear in browser history, server access logs, and HTTP Referer headers — this is a critical credential leak.

🤖 AI Agent Prompt for Cursor/Windsurf

📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue

In mindsdb/integrations/handlers/hubspot_handler/hubspot_oauth.py, around line 90, the `client_secret` field is included in the `state_data` dict that gets URL-encoded and appended to the auth URL. Remove `"client_secret": self.client_secret` from the state_data dictionary. The client_secret must never be exposed in URLs as it will appear in browser history, server logs, and HTTP Referer headers, constituting a critical security vulnerability.

Comment on lines +113 to +115
"""Exchange an authorization code for access and refresh tokens."""
logger.error(
f"DEBUG EXCHANGING CODE: code={code}, redirect_uri={self._get_redirect_uri()}, client_id={self.client_id}"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correctness: This logger.error call logs the OAuth authorization code and client_id at ERROR level — the code is a sensitive single-use secret and should never appear in logs. This is a debug statement that was accidentally left in and must be removed before merging.

🤖 AI Agent Prompt for Cursor/Windsurf

📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue

In mindsdb/integrations/handlers/hubspot_handler/hubspot_oauth.py, lines 113-115, remove the debug logger.error statement that logs sensitive OAuth credentials (authorization code and client_id). This is a leftover debug statement that exposes secrets in logs and must be deleted entirely before merging.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes we can remove this debug message

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

Comment on lines +221 to +222

if not self.handler_storage.encrypted_json_get(_STORAGE_KEY):

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correctness: self.handler_storage is assigned from kwargs.get('handler_storage') and can be None. Calling self.handler_storage.encrypted_json_get(_STORAGE_KEY) when it is None will raise AttributeError and crash check_connection instead of proceeding normally.

🤖 AI Agent Prompt for Cursor/Windsurf

📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue

In mindsdb/integrations/handlers/hubspot_handler/hubspot_handler.py, around line 221-222, `self.handler_storage` can be None (set via `kwargs.get('handler_storage')`). Before calling `self.handler_storage.encrypted_json_get(_STORAGE_KEY)`, add a None guard: `if not self.handler_storage or not self.handler_storage.encrypted_json_get(_STORAGE_KEY):`

@entelligence-ai-pr-reviews

Copy link
Copy Markdown
Contributor

🔍 Duplicate Code Detected

Found 1 duplicate function(s) in this PR. Consider consolidating to reduce code duplication.


File: hubspot_handler.py · Line 81-105

⚠️ Duplicate Code Detected (Similarity: 95%)

This function _map_type duplicates existing code.

📍 Original Location:

mindsdb/integrations/handlers/sheets_handler/sheets_handler.py:123-154

Function: _map_type

💡 Recommendation:
Create a shared utility module (e.g., mindsdb/integrations/utilities/type_mapping.py) with a common _map_type function that all handlers can import and use. This would eliminate duplication across hubspot, sheets, mysql, mssql, postgres, oracle, snowflake, databricks, and netsuite handlers.

Consider importing and reusing the existing function instead of duplicating the logic.

Comment on lines +83 to +92
# even when localStorage context is missing (e.g. script-initiated flows).
if self.datasource_name:
state_data = urllib.parse.urlencode(
{
"datasource_name": self.datasource_name,
"integrations_name": "hubspot",
"client_id": self.client_id,
"client_secret": self.client_secret,
"redirect_uri": redirect_uri,
"scope": " ".join(self.scopes) if self.scopes else "oauth",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correctness: The client_secret is included in the OAuth state parameter, which is passed as a URL query parameter and visible in browser history, server logs, and the HubSpot redirect. This fully exposes the client secret to anyone who can observe the redirect URL.

🤖 AI Agent Prompt for Cursor/Windsurf

📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue

In mindsdb/integrations/handlers/hubspot_handler/hubspot_oauth.py, around line 87, the `client_secret` is being included in the OAuth `state` parameter which gets appended to the auth URL as a query parameter. This exposes the client secret in browser history, server logs, and to HubSpot's servers. Remove `client_secret` from the state_data dictionary. The client_secret should never be transmitted via URL parameters.

Comment on lines +113 to +115
"""Exchange an authorization code for access and refresh tokens."""
logger.error(
f"DEBUG EXCHANGING CODE: code={code}, redirect_uri={self._get_redirect_uri()}, client_id={self.client_id}"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correctness: This logger.error call logs the OAuth authorization code and client_id at ERROR level — the code is a sensitive single-use credential and should never appear in logs. This is a debug statement that was accidentally committed and must be removed before production.

🤖 AI Agent Prompt for Cursor/Windsurf

📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue

In file `mindsdb/integrations/handlers/hubspot_handler/hubspot_oauth.py`, lines 113-115, remove the `logger.error(...)` debug statement inside `_exchange_code()` that logs the OAuth authorization code, redirect URI, and client ID. This leaks sensitive credentials to logs. Delete those three lines entirely.

# later requests then fail with BAD_AUTH_CODE. Exchange only when a request
if self.connection_data.get("code") and not self.is_connected:
from mindsdb.integrations.handlers.hubspot_handler.hubspot_oauth import _STORAGE_KEY

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correctness: self.handler_storage can be None (it's set from kwargs.get('handler_storage') with no default), so calling self.handler_storage.encrypted_json_get(_STORAGE_KEY) will raise AttributeError when handler_storage is not provided.

🤖 AI Agent Prompt for Cursor/Windsurf

📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue

In mindsdb/integrations/handlers/hubspot_handler/hubspot_handler.py, at the line `if not self.handler_storage.encrypted_json_get(_STORAGE_KEY):` (inside the `check_connection` method, within the new OAuth deferral block), `self.handler_storage` can be None because it is assigned via `kwargs.get('handler_storage')` without a default value. Add a None guard before calling the method: change the condition to `if not self.handler_storage or not self.handler_storage.encrypted_json_get(_STORAGE_KEY):`.

@tino097 tino097 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM just remove the debug message

@setohe0909 setohe0909 merged commit f1cda1d into feature/hubspot-oauth-fix Mar 18, 2026
2 checks passed
@setohe0909 setohe0909 deleted the fix/hubspot-oauth-query branch March 18, 2026 13:54
@github-actions github-actions Bot locked and limited conversation to collaborators Mar 18, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants