Conversation
RG-04
force-pushed
the
feat/shunya-transcriber
branch
2 times, most recently
from
d15d687 to
ba8355e
Compare
RG-04
force-pushed
the
feat/shunya-transcriber
branch
from
ba8355e to
3fc67f4
Compare
RG-04
force-pushed
the
feat/shunya-transcriber
branch
from
3fc67f4 to
075b6d3
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| # Send initialization message | ||
| init_msg = self._create_init_message() | ||
| await ws.send(json.dumps(init_msg)) | ||
| logger.info(f"Sent initialization message to Shunya Labs, {json.dumps(init_msg)}") |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To fix the problem, the code should stop logging the full init_msg including the api_key. Instead, log only non-sensitive parts of the initialization message, or simply confirm that the message was sent without including its content. This preserves observability (knowing that an init message was sent) while eliminating exposure of the API key.
The best minimal fix without changing existing functionality is:
- Keep
_create_init_messageunchanged so the WebSocket still receives the full configuration, includingapi_key. - Change the log statement on line 265 so it no longer includes
json.dumps(init_msg). Optionally, log a filtered view ofinit_msgwith theapi_keyomitted or masked.
Concretely:
- In
bolna/transcriber/shunya_transcriber.py, locate the block whereinit_msgis created and sent:- Line 263:
init_msg = self._create_init_message() - Line 264:
await ws.send(json.dumps(init_msg)) - Line 265:
logger.info(f"Sent initialization message to Shunya Labs, {json.dumps(init_msg)}")
- Line 263:
- Replace line 265 with a safe logging statement that either:
- logs just a static message (most conservative), or
- logs a redacted/partial version of the config (e.g., language, model, and
api_keyreplaced with"***").
No new methods or imports are strictly required; we can construct a small redacted dict inline if desired. To stay simple and robust, I’ll log only non-sensitive configuration fields (language, model, frames_silence_duration) and omit the key entirely.
| @@ -262,7 +262,7 @@ | ||
| # Send initialization message | ||
| init_msg = self._create_init_message() | ||
| await ws.send(json.dumps(init_msg)) | ||
| logger.info(f"Sent initialization message to Shunya Labs, {json.dumps(init_msg)}") | ||
| logger.info("Sent initialization message to Shunya Labs (sensitive fields omitted from logs)") | ||
|
|
||
| self.session_initialized = True | ||
| self.connection_authenticated = True |
2 participants
No description provided.