Skip to content

Fix: Prevent log injection and sensitive URL leakage in backend logging#272

Open
Madhavi1108 wants to merge 1 commit into
ionfwsrijan:mainfrom
Madhavi1108:fix-issue-270-url-logging
Open

Fix: Prevent log injection and sensitive URL leakage in backend logging#272
Madhavi1108 wants to merge 1 commit into
ionfwsrijan:mainfrom
Madhavi1108:fix-issue-270-url-logging

Conversation

@Madhavi1108

@Madhavi1108 Madhavi1108 commented Jul 4, 2026

Copy link
Copy Markdown

Linked issue

Closes #270


What this PR does

This PR strengthens backend logging security by preventing sensitive URL information from being written to logs, mitigating potential log injection vulnerabilities, validating Git branch references, and replacing eager string interpolation with Python's recommended lazy logging practices.


Type of change

  • Bug fix
  • New feature
  • ML model / training pipeline
  • Refactor (no behaviour change)
  • Documentation
  • Tests only

ML tier (if applicable)

  • Tier 1 — Triage
  • Tier 2 — Predictive
  • Tier 3 — Autonomous
  • Not ML-related

Stack affected

  • Backend
  • Frontend
  • Both

Changes

Backend

  • Added sanitize_url_for_log() to remove query parameters, fragments, and embedded credentials before logging URLs.
  • Refactored the rate-limit logging inside download_to_path() to use structured, lazy logging with extra={...} instead of eager f-string interpolation.
  • Added strict validation for Git branch references in github_zip_url() using a regular expression.
  • Updated ollama_health() logging to use lazy %s formatting instead of f-strings.
  • Improved overall logging security while preserving existing application behavior.

Frontend

  • No frontend changes.

New dependencies

  • None.

Database / schema changes

  • None.

Testing

How did you test this?

  • Verified that backend/app/main.py compiles successfully without syntax errors.
  • Confirmed that sanitized URLs exclude query parameters, fragments, and user credentials before being logged.
  • Validated that invalid Git branch references return an HTTP 400 response.
  • Verified that structured logging correctly records contextual metadata while avoiding eager string interpolation.
  • Confirmed that existing backend functionality remains unchanged.

Checklist

  • Tested locally end-to-end (upload ZIP or GitHub URL → scan → findings returned correctly)
  • New ML model falls back gracefully when model file is absent (not applicable; existing behavior unchanged)
  • No new console.error or unhandled Python exceptions introduced
  • Added or updated tests where applicable
  • requirements.txt / package.json updated if new dependencies added
  • New model files (.pkl, .pt, etc.) are gitignored, not committed (no model files added)

Anything reviewers should focus on

Please review:

  • The URL sanitization logic to ensure sensitive URL components are consistently removed before logging.
  • The structured logging implementation within download_to_path() and its compatibility with the existing logging configuration.
  • The regular expression used for Git branch reference validation to ensure it accepts valid branch names while rejecting malformed inputs.
  • The updated lazy logging statements for consistency with the project's logging conventions.

Screenshots (if UI changed)

Not applicable — backend-only security fix.

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown

🎉 Thank you @Madhavi1108 for submitting a Pull Request!

We're excited to review your contribution.

Before Review

✅ Ensure all CI checks pass
✅ Complete the PR template
✅ Link the related issue

Want faster reviews and contributor support?

Join our Discord community:

🔗 https://discord.gg/FcXuyw2Rs

Maintainers and mentors are active there and can help resolve blockers quickly.

Happy Contributing! 🚀

@github-actions github-actions Bot added SSoC26 needs-work Work needed labels Jul 4, 2026
@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown

⚠️ Automated Check: This PR does not strictly follow the required template. Please ensure you have not deleted any checkboxes or mandatory headings, and that you have written explanations under What this PR does and How did you test this?.

Correct PR Template

Please copy and paste the raw template below into your PR description and fill it out:

> **Before opening:** make sure there is an issue tracking this work, and link it below. PRs without a linked issue may be closed without review.

## Linked issue

Closes #

## What this PR does



## Type of change

- [ ] Bug fix
- [ ] New feature
- [ ] ML model / training pipeline
- [ ] Refactor (no behaviour change)
- [ ] Documentation
- [ ] Tests only

## ML tier (if applicable)

- [ ] Tier 1 — Triage
- [ ] Tier 2 — Predictive
- [ ] Tier 3 — Autonomous
- [ ] Not ML-related

## Stack affected

- [ ] Backend
- [ ] Frontend
- [ ] Both

---

## Changes

### Backend



-

### Frontend



-

### New dependencies



-

### Database / schema changes



-

---

## Testing

**How did you test this?**



**Checklist**

- [ ] Tested locally end-to-end (upload ZIP or GitHub URL → scan → findings returned correctly)
- [ ] New ML model falls back gracefully when model file is absent
- [ ] No new `console.error` or unhandled Python exceptions introduced
- [ ] Added or updated tests where applicable
- [ ] `requirements.txt` / `package.json` updated if new dependencies added
- [ ] New model files (`.pkl`, `.pt`, etc.) are gitignored, not committed

---

## Anything reviewers should focus on



## Screenshots (if UI changed)

@Madhavi1108

Copy link
Copy Markdown
Author

Hi @ionfwsrijan ,
I have solved the issue
Kindly let me know if any changes are needed from my side

@github-actions github-actions Bot added backend Backend issues frontend Frontend issues labels Jul 4, 2026
@ionfwsrijan

Copy link
Copy Markdown
Owner

@arpit2006

@arpit2006

Copy link
Copy Markdown
Collaborator

CI issue @Madhavi1108

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backend Backend issues frontend Frontend issues needs-work Work needed SSoC26

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Sensitive URL and potential tokens leaked into logs via eager f-string evaluation in download retry logging

3 participants