fix: omit request body from PINECONE_DEBUG_CURL output (CodeQL)#688
Open
jhamon wants to merge 1 commit into
Open
fix: omit request body from PINECONE_DEBUG_CURL output (CodeQL)#688jhamon wants to merge 1 commit into
jhamon wants to merge 1 commit into
Conversation
Resolves CodeQL py/clear-text-logging-sensitive-data alert #83. _log_curl logs a curl-equivalent for debugging, but including the raw request body could expose vector data. Emit body size instead, which is enough for debugging while removing the taint source. Headers are already redacted via _redact_headers (Api-Key masked). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves CodeQL
py/clear-text-logging-sensitive-dataalert #83 atpinecone/_internal/http_client.py:118.Problem
_log_curllogs a curl-equivalent command for debugging (only whenPINECONE_DEBUG_CURLis set). It included the raw request body viabody.decode(), which CodeQL flags as cleartext logging of sensitive data. The body contains request payloads (vectors, query parameters, etc.).Fix
Replace the raw body with
'<N bytes>'in the curl output. This:The API key is already redacted by
_redact_headers— this change covers the body.Verification
No behavior change to production code paths —
_log_curlonly executes whenPINECONE_DEBUG_CURLis set and logs atDEBUGlevel.Part of PIN-16 / PIN-27 (security tail), child of PIN-6.
🤖 Generated with Claude Code
Note
Low Risk
Single-line change in debug-only logging with no production request/response behavior impact.
Overview
When
PINECONE_DEBUG_CURLis set,_log_curlstill emits a curl-style debug line (method, URL, redacted headers) but no longer decodes and logs the raw request body.The
-dfragment is now'<N bytes>'instead of the full UTF-8 payload, so vector/query JSON is not written to debug logs while payload size remains visible for troubleshooting.This is scoped to the opt-in debug path only; normal HTTP behavior is unchanged.
Reviewed by Cursor Bugbot for commit fc3b656. Bugbot is set up for automated code reviews on this repo. Configure here.