False positive (?) for sensitive data logging #7992
Description
Description of the issue
First of all, thank you for maintaining these awesome CodeQL checks! helps to automate the reviews a lot and focus on what really matters.
I think there might be a case for a false positive in sensitive data logging rules for the following code
443 | func (c *DatabricksClient) createDebugHeaders(header http.Header, host string) string {
444 | headers := ""
445 | if c.DebugHeaders { // <----- by default is false, true only when configured
446 | if host != "" {
447 | headers += fmt.Sprintf("\n * Host: %s", escapeNewLines(host))
448 | }
449 | for k, v := range header {
450 | trunc := onlyNBytes(strings.Join(v, ""), c.DebugTruncateBytes)
451 | headers += fmt.Sprintf("\n * %s: %s", k, escapeNewLines(trunc))
452 | }
453 | if len(headers) > 0 {
454 | headers += "\n"
455 | }
456 | }
457 | return headers
458 | }
...
484 | headers := c.createDebugHeaders(request.Header, c.Host)
485 | log.Printf("[DEBUG] %s %s %s%v", method, escapeNewLines(request.URL.Path),
486 | headers, c.redactedDump(requestBody)) // lgtm [go/log-injection]
// ^^ Sensitive data returned by HTTP request headers is logged hereRationale is: if user explicitly turns on debug logging and wants sensitive data to be logged, then c.DebugHeaders will be true.
GitHub CodeQL alerts suggest not to log sensitive headers at all, but it's possible to dismiss them. I wonder how i can adjust this code or what comment do i need to change/apply to silence this rule.