Skip to content

security: stop logging raw request body in PINECONE_DEBUG_CURL (CodeQL #83)#687

Open
jhamon wants to merge 1 commit into
mainfrom
security/pin-27-clear-text-logging-body
Open

security: stop logging raw request body in PINECONE_DEBUG_CURL (CodeQL #83)#687
jhamon wants to merge 1 commit into
mainfrom
security/pin-27-clear-text-logging-body

Conversation

@jhamon

@jhamon jhamon commented Jul 11, 2026

Copy link
Copy Markdown
Collaborator

Summary

Fixes CodeQL code-scanning alert #83 py/clear-text-logging-sensitive-data (error/high) at pinecone/_internal/http_client.py _log_curl.

The PINECONE_DEBUG_CURL debug logger previously emitted the raw request body as -d '<body>'. CodeQL flags the body.decode(...) expression as clear-text logging of sensitive data.

Change

Stop logging the request body verbatim. Pinecone request bodies carry user vector and metadata payloads that may contain sensitive data (e.g. PII embedded in metadata), so even under the explicit PINECONE_DEBUG_CURL opt-in the body is now replaced with:

--data-binary @body.json  # <N> byte body omitted

This records the payload size and shows where to supply the body manually, while removing the clear-text path to the logger entirely. Sensitive headers (Api-Key, Authorization, Proxy-Authorization) remain redacted as before.

This removes the finding at the source rather than dismissing it — no code-scanning security_events scope needed.

Testing

Updated the two tests that asserted raw body content; added assertions that the body contents are absent and the byte-count placeholder is present.

uv run pytest tests/unit/test_debug_logging.py tests/unit/_internal/test_http_client_curl_debug.py tests/unit/test_http_client.py -k "curl or log_curl or redact or body"
28 passed, 69 deselected

Resolves PIN-27 (child of PIN-16).

🤖 Generated with Claude Code


Note

Low Risk
Debug-only, opt-in logging path with no change to request behavior; reduces exposure of user data in logs.

Overview
Stops logging raw HTTP request bodies when PINECONE_DEBUG_CURL is enabled, addressing CodeQL clear-text logging of sensitive data in _log_curl.

Instead of emitting -d '<decoded body>', the curl-equivalent debug line now uses --data-binary @body.json # <N> byte body omitted, so payload size is visible without writing vectors/metadata (possible PII) to logs. Sensitive header redaction is unchanged.

Unit tests were updated to assert bodies are absent from logs and the byte-count placeholder is present, including for HTTPClient.post integration.

Reviewed by Cursor Bugbot for commit c93062e. Bugbot is set up for automated code reviews on this repo. Configure here.

…G_CURL

Fixes CodeQL py/clear-text-logging-sensitive-data alert #83 at
pinecone/_internal/http_client.py _log_curl.

The debug curl logger previously emitted the raw request body via
`-d '<body>'`. Pinecone request bodies carry user vector and metadata
payloads that may contain sensitive data (e.g. PII in metadata), so the
body is no longer logged verbatim even under the PINECONE_DEBUG_CURL
opt-in. It is replaced with a `--data-binary @body.json  # N byte body
omitted` placeholder that records the size and shows where to supply the
payload manually. Sensitive headers remain redacted as before.

This removes the CodeQL finding at the source (no clear-text path to the
logger) rather than dismissing it.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant