Skip to content

SEVERE: Debug Code and Sensitive Data Logging in Production #32

New issue
New issue
Open
Open
SEVERE: Debug Code and Sensitive Data Logging in Production#32
Assignees
haroon0x
Labels
securitySecurity related issues
@coderabbitai

Description

@coderabbitai
coderabbitai
bot
opened on Dec 10, 2025

Security Issue

Severity: Severe
Related PR: #30

Description

Production code contains debug print statements that log sensitive data, potentially exposing confidential information in logs.

Vulnerable Code

  1. Webhook Handler (backend/app/api/webhooks.py):
# Line 31
print(f"📡 Raw webhook body: {body.decode('utf-8', errors='ignore')}")

# Line 39
print(f"📡 Task Update: {task_id} -> {status}")

# Line 65
print(f"📡 Raw execution update: {body.decode('utf-8', errors='ignore')}")
  1. Kestra Client (backend/app/core/kestra_client.py:35):
print(f"Triggering Webhook: {url} with params: {params}")
# Exposes webhook URLs and repository information

Security Impact

  • Information Disclosure: Sensitive execution data logged to stdout
  • Credential Leakage: Webhook payloads may contain API keys or tokens
  • Audit Trail Contamination: Debug logs mixed with production logs
  • Performance: Unnecessary I/O operations in production
  • Log Injection: Unfiltered user input in logs enables log injection attacks

What Could Be Exposed

  • Repository URLs and branches
  • Execution IDs and states
  • Task outputs (may contain secrets)
  • Internal system paths
  • Timing information for attacks

Remediation

  1. Replace with Proper Logging:
import logging

logger = logging.getLogger(__name__)

# Instead of print()
logger.debug("Task Update: %s -> %s", task_id, status)
logger.info("Webhook received for execution: %s", execution_id)
  1. Sanitize Sensitive Data:
def sanitize_for_logging(data: dict) -> dict:
    sensitive_keys = ['apiKey', 'token', 'password', 'secret']
    return {
        k: '***REDACTED***' if k in sensitive_keys else v 
        for k, v in data.items()
    }
  1. Use Structured Logging:
logger.info("webhook_received", extra={
    "execution_id": execution_id,
    "task_id": task_id,
    "status": status
    # Don't log raw bodies
})
  1. Configure Log Levels by Environment:
log_level = os.getenv("LOG_LEVEL", "INFO")
logging.basicConfig(level=log_level)

Files to Update

  • backend/app/api/webhooks.py
  • backend/app/core/kestra_client.py
  • backend/debug_kestra.py (should not be in production)

Assignee: @haroon0x

Metadata

Metadata

Assignees

Labels

securitySecurity related issues

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions