Potential fix for code scanning alert no. 84: Clear-text logging of sensitive information

[intel352]

Potential fix for https://github.com/GoCodeAlone/modular/security/code-scanning/84

In general, to fix clear-text logging of potentially sensitive data flowing through generic logging decorators, we should ensure that any untrusted or header-derived values are either omitted, masked, or sanitized before being passed to the underlying logger. Since LoggerDecorator and its implementations are generic and receive args ...any from many call sites (including DryRunHandler.logDryRunResult), the safest fix that does not change external behavior is to introduce a small sanitization step in the decorator layer that can scrub known-sensitive keys or values in the structured logging arguments.

The best targeted fix here is to add a helper in logger_decorator.go (within the shown code) that inspects args ...any as key/value pairs and masks values for keys that might contain sensitive data coming from HTTP headers (for example "tenant", "requestId", and any other we choose), or more generally redact any string values that look like they could hold secrets (optional). Then, we apply this sanitization in the single place where CodeQL points to the sink: PrefixLoggerDecorator.Debug (and, by symmetry and for consistency, we should apply the same sanitization in all PrefixLoggerDecorator methods so the decorator never forwards raw tainted args to the inner logger). This preserves existing message strings and keys while only altering logged values according to a deterministic masking rule.

Concretely:

• In logger_decorator.go, add a private helper function, e.g. sanitizeLogArgs(args []any) []any, near the decorators, using only the standard library (strings is already imported).
• This helper will:
  • Return early if len(args) == 0.
  • Assume structured logging with alternating key/value pairs (as used in logDryRunResult), iterate over the slice, and for every string key in positions 0,2,4,...:
    • If the key equals "tenant" or "requestId" (or both, matching the dry-run logger), replace the corresponding value (if present) with a masked form such as "***".
• In each of PrefixLoggerDecorator.Info, .Error, .Warn, and .Debug, call sanitizeLogArgs(args) before passing them down to d.inner.*.
• We keep the function signature the same and avoid touching other files; all changes are confined to logger_decorator.go within the shown regions.
• No new external dependencies are needed; we can implement masking logic with basic Go operations.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[github-actions]

📋 API Contract Changes Summary

✅ No breaking changes detected - only additions and non-breaking modifications

Changed Components:

Core Framework

Contract diff saved to artifacts/diffs/core.json

Module: auth

Contract diff saved to artifacts/diffs/auth.json

Module: cache

Contract diff saved to artifacts/diffs/cache.json

Module: chimux

Contract diff saved to artifacts/diffs/chimux.json

Module: configwatcher

Contract diff saved to artifacts/diffs/configwatcher.json

Module: database

Contract diff saved to artifacts/diffs/database.json

Module: eventbus

Contract diff saved to artifacts/diffs/eventbus.json

Module: eventlogger

Contract diff saved to artifacts/diffs/eventlogger.json

Module: httpclient

Contract diff saved to artifacts/diffs/httpclient.json

Module: httpserver

Contract diff saved to artifacts/diffs/httpserver.json

Module: jsonschema

Contract diff saved to artifacts/diffs/jsonschema.json

Module: letsencrypt

Contract diff saved to artifacts/diffs/letsencrypt.json

Module: logmasker

Contract diff saved to artifacts/diffs/logmasker.json

Module: reverseproxy

Contract diff saved to artifacts/diffs/reverseproxy.json

Module: scheduler

Contract diff saved to artifacts/diffs/scheduler.json

Artifacts

📁 Full contract diffs and JSON artifacts are available in the workflow artifacts.

[codecov]

Codecov Report

❌ Patch coverage is 63.63636% with 8 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
logger_decorator.go	63.63%	6 Missing and 2 partials ⚠️

📢 Thoughts on this report? Let us know!

[Copilot]

Pull request overview

This PR introduces a small sanitization layer in the logging decorator stack to mitigate CodeQL alert #84 (“clear-text logging of sensitive information”) by masking header-derived identifiers before they reach the underlying logger.

Changes:

• Added sanitizeLogArgs(args []any) []any to mask values for specific structured-log keys (tenant, requestId).
• Updated PrefixLoggerDecorator (Info, Error, Warn, Debug) to forward sanitized structured logging arguments to the inner logger.

[Copilot]

sanitizeLogArgs currently allocates and copies the args slice on every log call (when args is non-empty), even when no sensitive keys are present. This adds avoidable per-log overhead for PrefixLoggerDecorator.

Consider scanning for matching keys first and only allocating/copying when a redaction is actually needed (e.g., copy-on-first-match), otherwise return the original args slice unchanged.

[Copilot]

New redaction behavior is introduced (masking values for "tenant" and "requestId" keys), but there are existing tests for logger_decorator.go and none appear to assert this new behavior. Please add a focused unit test that verifies PrefixLoggerDecorator forwards masked values for these keys (and leaves other keys unchanged) to prevent regressions and to validate the intended security fix.