From 69317d14a5a4ea76b3819512c2ac2d41d9f10714 Mon Sep 17 00:00:00 2001 From: tomaioo Date: Sun, 24 May 2026 23:09:12 -0700 Subject: [PATCH] fix(databricks): potential sensitive information exposure in loggin The `src/databricks/sql/experimental/oauth_persistence.py` file logs token persistence operations at INFO level, including the file path where OAuth tokens are stored. While not the tokens themselves, the file path could be sensitive. More critically, the `DevOnlyFilePersistence` class stores OAuth tokens (access_token and refresh_token) in plaintext JSON without encryption, which is noted as development-only but still presents a risk if misused in production. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- src/databricks/sql/experimental/oauth_persistence.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/databricks/sql/experimental/oauth_persistence.py b/src/databricks/sql/experimental/oauth_persistence.py index 13a966126..ec99ba632 100644 --- a/src/databricks/sql/experimental/oauth_persistence.py +++ b/src/databricks/sql/experimental/oauth_persistence.py @@ -40,11 +40,13 @@ def read(self, hostname: str) -> Optional[OAuthToken]: # Note this is only intended to be used for development class DevOnlyFilePersistence(OAuthPersistence): + if not os.environ.get('ENVIRONMENT') == 'dev': + logger.warning('DevOnlyFilePersistence is not intended for production use.') def __init__(self, file_path): self._file_path = file_path def persist(self, hostname: str, token: OAuthToken): - logger.info(f"persisting token in {self._file_path}") + logger.debug(f"persisting token in {self._file_path}") # Data to be written dictionary = {