Skip to content

Fix CodeQL Security Alert: Remove Sensitive File Paths from Log Messages #7345

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 19, 2025
Merged

Fix CodeQL Security Alert: Remove Sensitive File Paths from Log Messages #7345

merged 2 commits into from
Jul 19, 2025

Conversation

danish9039
Copy link
Contributor

@danish9039 danish9039 commented Jul 19, 2025
edited
Loading

Which problem is this PR solving?

Related to

Description of the changes

  • Security Fix
    This PR addresses a High severity CodeQL security alert for "Clear-text logging of sensitive information" in the FSWatcher component. This issue was originally found in PR [refactor] Used OTEL Optional type for union Auth struct #7316 .

  • Problem
    CodeQL detected that sensitive file paths (potentially containing credentials) were being logged in plain text:

     // Before: Exposes sensitive file paths in logs
 w.logger.Warn("Unable to read the file", zap.String("file", filePathName), zap.Error(err))

    Security Risk: If logs are compromised, attackers could identify locations of credential files, configuration files, or other
    sensitive resources.

  • Solution
    Removed sensitive file path information from log messages while preserving error context:

    // After: Secure logging without exposing file paths  
w.logger.Warn("Unable to read the file", zap.Error(err))

  • Files Changed
    internal/fswatcher/fswatcher.go: Removed zap.String("file", filePathName) from error logging

    internal/fswatcher/fswatcher_test.go: Updated test assertions to match new log format

How was this change tested?

Checklist

@danish9039
Fix CodeQL Security Alert: Remove Sensitive File Paths from Log Messages
e0c7a67 
Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>
@danish9039 danish9039 requested a review from a team as a code owner July 19, 2025 17:13
@danish9039 danish9039 requested a review from pavolloffay July 19, 2025 17:13
@dosubot dosubot bot added the security label Jul 19, 2025
@codecov Codecov
Copy link

codecov bot commented Jul 19, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 96.44%. Comparing base (d827d78) to head (bc34920).
Report is 1 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #7345      +/-   ##
==========================================
- Coverage   96.49%   96.44%   -0.05%     
==========================================
  Files         378      378              
  Lines       22910    22910              
==========================================
- Hits        22107    22096      -11     
- Misses        608      616       +8     
- Partials      195      198       +3
Flag Coverage Δ
badger_v1 9.16% <0.00%> (ø)
badger_v2 1.75% <0.00%> (ø)
cassandra-4.x-v1-manual 11.90% <0.00%> (ø)
cassandra-4.x-v2-auto 1.74% <0.00%> (ø)
cassandra-4.x-v2-manual 1.74% <0.00%> (ø)
cassandra-5.x-v1-manual 11.90% <0.00%> (ø)
cassandra-5.x-v2-auto 1.74% <0.00%> (ø)
cassandra-5.x-v2-manual 1.74% <0.00%> (ø)
elasticsearch-6.x-v1 16.74% <0.00%> (ø)
elasticsearch-7.x-v1 16.79% <0.00%> (ø)
elasticsearch-8.x-v1 16.95% <0.00%> (ø)
elasticsearch-8.x-v2 1.75% <0.00%> (ø)
grpc_v1 10.41% <0.00%> (ø)
grpc_v2 1.75% <0.00%> (ø)
kafka-3.x-v1 9.33% <0.00%> (ø)
kafka-3.x-v2 1.75% <0.00%> (ø)
memory_v2 1.75% <0.00%> (ø)
opensearch-1.x-v1 16.83% <0.00%> (ø)
opensearch-2.x-v1 16.83% <0.00%> (ø)
opensearch-2.x-v2 1.84% <0.00%> (+0.09%) ⬆️
query 1.75% <0.00%> (ø)
tailsampling-processor 0.48% <0.00%> (ø)
unittests 95.40% <100.00%> (-0.05%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@yurishkuro yurishkuro added this pull request to the merge queue Jul 19, 2025
Merged via the queue into jaegertracing:main with commit fe7e90a Jul 19, 2025
61 of 63 checks passed
chethanac15 pushed a commit to chethanac15/jaeger that referenced this pull request Jul 20, 2025
@danish9039 @chethanac15
Fix CodeQL Security Alert: Remove Sensitive File Paths from Log Messa…
204de16 
…ges (jaegertracing#7345)

<!--
!! Please DELETE this comment before posting.
We appreciate your contribution to the Jaeger project! 👋🎉
-->

Related to
- jaegertracing#7316
- jaegertracing#7225

- Security Fix
This PR addresses a High severity CodeQL security alert for "Clear-text
logging of sensitive information" in the FSWatcher component. This issue
was originally found in PR
jaegertracing#7316 .

- Problem
CodeQL detected that sensitive file paths (potentially containing
credentials) were being logged in plain text:
   ```
    // Before: Exposes sensitive file paths in logs
w.logger.Warn("Unable to read the file", zap.String("file",
filePathName), zap.Error(err))
   ```
Security Risk: If logs are compromised, attackers could identify
locations of credential files, configuration files, or other
   sensitive resources.

- Solution
Removed sensitive file path information from log messages while
preserving error context:
   ```
   // After: Secure logging without exposing file paths
   w.logger.Warn("Unable to read the file", zap.Error(err))
    ```
- Files Changed
`internal/fswatcher/fswatcher.go`: Removed zap.String("file",
filePathName) from error logging

`internal/fswatcher/fswatcher_test.go`: Updated test assertions to match
new log format

-

- [ ] I have read
https://github.com/jaegertracing/jaeger/blob/master/CONTRIBUTING_GUIDELINES.md
- [ ] I have signed all commits
- [ ] I have added unit tests for the new functionality
- [ ] I have run lint and test steps successfully
  - for `jaeger`: `make lint test`
  - for `jaeger-ui`: `npm run lint` and `npm run test`

Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>
Signed-off-by: Chethan A C <acchethan15@gmail.com>
chethanac15 pushed a commit to chethanac15/jaeger that referenced this pull request Jul 20, 2025
@danish9039 @chethanac15
Fix CodeQL Security Alert: Remove Sensitive File Paths from Log Messa…
3fcb977 
…ges (jaegertracing#7345)

<!--
!! Please DELETE this comment before posting.
We appreciate your contribution to the Jaeger project! 👋🎉
-->

Related to
- jaegertracing#7316
- jaegertracing#7225

- Security Fix
This PR addresses a High severity CodeQL security alert for "Clear-text
logging of sensitive information" in the FSWatcher component. This issue
was originally found in PR
jaegertracing#7316 .

- Problem
CodeQL detected that sensitive file paths (potentially containing
credentials) were being logged in plain text:
   ```
    // Before: Exposes sensitive file paths in logs
w.logger.Warn("Unable to read the file", zap.String("file",
filePathName), zap.Error(err))
   ```
Security Risk: If logs are compromised, attackers could identify
locations of credential files, configuration files, or other
   sensitive resources.

- Solution
Removed sensitive file path information from log messages while
preserving error context:
   ```
   // After: Secure logging without exposing file paths
   w.logger.Warn("Unable to read the file", zap.Error(err))
    ```
- Files Changed
`internal/fswatcher/fswatcher.go`: Removed zap.String("file",
filePathName) from error logging

`internal/fswatcher/fswatcher_test.go`: Updated test assertions to match
new log format

-

- [ ] I have read
https://github.com/jaegertracing/jaeger/blob/master/CONTRIBUTING_GUIDELINES.md
- [ ] I have signed all commits
- [ ] I have added unit tests for the new functionality
- [ ] I have run lint and test steps successfully
  - for `jaeger`: `make lint test`
  - for `jaeger-ui`: `npm run lint` and `npm run test`

Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>
Signed-off-by: Chethan A C <acchethan15@gmail.com>
@danish9039 danish9039 mentioned this pull request Jul 21, 2025
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yurishkuro yurishkuro yurishkuro approved these changes

@pavolloffay pavolloffay Awaiting requested review from pavolloffay pavolloffay is a code owner automatically assigned from jaegertracing/jaeger-maintainers

Assignees
No one assigned
Labels
changelog:bugfix-or-minor-feature security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@danish9039 @yurishkuro