Update http.py to mask "x-api-key" header#102
Update http.py to mask "x-api-key" header#102cpandya2909 wants to merge 1 commit intogoogle:mainfrom
Conversation
Header "x-api-key" contains API key for Sec-Gemini Thus, it should not be logged even for Debug log leve. If "x-api-key" is present in headers, make a copy of it, mask header value as "***" and then log it. afterwards, delete masked headers fobject or cleanup
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request correctly masks the x-api-key header in debug logs to prevent leaking sensitive information. The implementation works as intended. However, I've noticed that the code for masking the key is duplicated in both the post and get methods, and the logic within each method can be simplified. I've provided suggestions to refactor the code for better readability and to remove redundancy. As a future improvement, you might consider extracting this logic into a shared private helper method to adhere to the DRY (Don't Repeat Yourself) principle.
| # Headers have x-api-key, which is API key. So skip loggig it. | ||
| if "x-api-key" in headers: | ||
| masked_headers = headers.copy() | ||
| masked_headers["x-api-key"] = "***" | ||
| logging.debug("POST URL: %s, Headers:%s", url, masked_headers) | ||
| del masked_headers | ||
| else: | ||
| logging.debug("POST URL: %s, Headers:%s", url, headers) |
There was a problem hiding this comment.
The logic for masking the API key before logging is correct, but it can be made more concise and readable. The if/else block contains a duplicated logging.debug call. You can refactor this to determine which headers to log first, and then make a single logging call. This also removes the need for del masked_headers, which is redundant as the variable would be garbage collected anyway. Additionally, there's a typo in the comment (loggig).
# Headers have x-api-key, which is an API key, so we mask it for logging.
headers_to_log = headers
if "x-api-key" in headers:
headers_to_log = headers.copy()
headers_to_log["x-api-key"] = "***"
logging.debug("POST URL: %s, Headers:%s", url, headers_to_log)| # Headers have x-api-key, which is API key. So skip loggig it. | ||
| if "x-api-key" in headers: | ||
| masked_headers = headers.copy() | ||
| masked_headers["x-api-key"] = "***" | ||
| logging.debug("GET URL: %s, Headers:%s", url, masked_headers) | ||
| del masked_headers | ||
| else: | ||
| logging.debug("GET URL: %s, Headers:%s", url, headers) |
There was a problem hiding this comment.
Similar to the post method, this logic for masking the API key can be simplified to avoid code duplication in the if/else block and improve readability. The del masked_headers call is also unnecessary. There's also a typo in the comment (loggig).
# Headers have x-api-key, which is an API key, so we mask it for logging.
headers_to_log = headers
if "x-api-key" in headers:
headers_to_log = headers.copy()
headers_to_log["x-api-key"] = "***"
logging.debug("GET URL: %s, Headers:%s", url, headers_to_log)1 participant
Header "x-api-key" contains API key for Sec-Gemini Thus, it should not be logged even for Debug log leve.
If "x-api-key" is present in headers, make a copy of it, mask header value as "***" and then log it.
afterwards, delete masked headers fobject or cleanup