From f85366bcb58a7edf203b9e8d020dd37ad94af52e Mon Sep 17 00:00:00 2001
From: iammukeshm <iammukeshm@gmail.com>
Date: Thu, 25 Jun 2026 23:32:33 +0530
Subject: [PATCH] fix(notifications): stop logging recipient email in
 BillingEmailSender

Resolves CodeQL cs/exposure-of-sensitive-information (alert #27). The
delivery-failure warning logged the raw recipient address, writing PII to
an external sink (the log). Drop {Email} from the template; {Context}
already identifies the operation for debugging.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .../IntegrationEventHandlers/BillingEmailSender.cs            | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/Modules/Notifications/Modules.Notifications/IntegrationEventHandlers/BillingEmailSender.cs b/src/Modules/Notifications/Modules.Notifications/IntegrationEventHandlers/BillingEmailSender.cs
index 0cc96e70ad..9159df9b8b 100644
--- a/src/Modules/Notifications/Modules.Notifications/IntegrationEventHandlers/BillingEmailSender.cs
+++ b/src/Modules/Notifications/Modules.Notifications/IntegrationEventHandlers/BillingEmailSender.cs
@@ -26,7 +26,9 @@ await mail.SendAsync(new MailRequest(
         }
         catch (Exception ex)
         {
-            logger.LogWarning(ex, "Failed to send {Context} email to {Email}", context, email);
+            // Do not log the recipient address — it is PII and the log is an external sink
+            // (CodeQL cs/exposure-of-sensitive-information). The context identifies the operation.
+            logger.LogWarning(ex, "Failed to send {Context} email", context);
         }
     }
 }