[pre-commit.ci] pre-commit autoupdate #3
Conversation
pre-commit-ci
bot
force-pushed
the
pre-commit-ci-update-config
branch
from
0bf1405 to
500a47b
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| if hostname: | ||
| print( | ||
| f"- {client['mac_address']} ({ip}) - {hostname}") | ||
| print(f"- {client['mac_address']} ({ip}) - {hostname}") |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
To fix the problem, we should avoid logging or displaying sensitive information such as MAC addresses and hostnames in clear text by default. Instead, we can display only non-sensitive information (such as the IP address), or mask/obfuscate the sensitive fields. If displaying the MAC address or hostname is necessary for legitimate administrative purposes, we should provide an explicit command-line flag (e.g., --show-sensitive) to allow their display only when requested.
The best fix for the current code is to mask the MAC address and hostname by default, showing only the last few characters, or replace them with a placeholder (e.g., "Hidden"). Alternatively, we can add a --show-sensitive flag to the clients command, and only display the full MAC address and hostname if this flag is set.
Required changes:
- Update the code block in the
clientscommand (lines 287-294) to mask or hide the MAC address and hostname unless a new--show-sensitiveflag is provided. - Add the
--show-sensitiveflag to theclientssubparser. - Update the print statements to conditionally display sensitive information.
| @@ -136,6 +136,9 @@ | ||
| clients_parser.add_argument( | ||
| "--interval", type=int, default=5, help="Monitoring interval in seconds" | ||
| ) | ||
| clients_parser.add_argument( | ||
| "--show-sensitive", action="store_true", help="Display sensitive client info (MAC, hostname)" | ||
| ) | ||
|
|
||
| # Channels command | ||
| channels_parser = subparsers.add_parser( | ||
| @@ -287,11 +290,21 @@ | ||
| print(f"**{len(clients)} clients connected:**") | ||
| for client in clients: | ||
| ip = client.get("ip_address", "Unknown IP") | ||
| mac = client.get("mac_address", "Hidden") | ||
| hostname = client.get("hostname", "") | ||
| if hostname: | ||
| print(f"- {client['mac_address']} ({ip}) - {hostname}") | ||
| if args.show_sensitive: | ||
| if hostname: | ||
| print(f"- {mac} ({ip}) - {hostname}") | ||
| else: | ||
| print(f"- {mac} ({ip})") | ||
| else: | ||
| print(f"- {client['mac_address']} ({ip})") | ||
| # Mask MAC address: show only last 4 chars, rest as '*' | ||
| if mac != "Hidden" and len(mac) >= 4: | ||
| masked_mac = "*" * (len(mac) - 4) + mac[-4:] | ||
| else: | ||
| masked_mac = "Hidden" | ||
| masked_hostname = hostname if not hostname else "Hidden" | ||
| print(f"- {masked_mac} ({ip})") | ||
| else: | ||
| print("No clients connected") | ||
| return 0 |
| ) | ||
| print( | ||
| f"- {client['mac_address']} ({client['ip_address']}){hostname}") | ||
| f"- {client['mac_address']} ({client['ip_address']}){hostname}" |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
To fix the problem, we should avoid printing sensitive information such as full MAC addresses and IP addresses in clear text. Instead, we can mask or partially obfuscate these values before displaying them. For example, we can show only the first and last octets of the MAC address and the first two octets of the IP address, replacing the rest with asterisks or similar placeholders. This approach allows administrators to identify devices to some extent without exposing the full sensitive data.
The changes should be made in the status method of the HotspotManager class, specifically where the client information is printed (lines 403-404). We will introduce helper functions to mask MAC and IP addresses, and use these functions when printing client information.
We will add the helper functions within the same class (or as static methods), and update the print statement accordingly. No new imports are required.
| @@ -399,14 +399,38 @@ | ||
| hostname = ( | ||
| f" ({client.get('hostname')})" if client.get("hostname") else "" | ||
| ) | ||
| masked_mac = self._mask_mac_address(client['mac_address']) | ||
| masked_ip = self._mask_ip_address(client['ip_address']) | ||
| print( | ||
| f"- {client['mac_address']} ({client['ip_address']}){hostname}" | ||
| f"- {masked_mac} ({masked_ip}){hostname}" | ||
| ) | ||
| else: | ||
| print("\nNo clients connected") | ||
| else: | ||
| print("**Hotspot is not running**") | ||
|
|
||
| @staticmethod | ||
| def _mask_mac_address(mac: str) -> str: | ||
| """ | ||
| Mask a MAC address, showing only the first and last octets. | ||
| Example: 'AA:BB:CC:DD:EE:FF' -> 'AA:****:FF' | ||
| """ | ||
| parts = mac.split(":") | ||
| if len(parts) == 6: | ||
| return f"{parts[0]}:****:{parts[-1]}" | ||
| return "****" | ||
|
|
||
| @staticmethod | ||
| def _mask_ip_address(ip: str) -> str: | ||
| """ | ||
| Mask an IPv4 address, showing only the first two octets. | ||
| Example: '192.168.1.100' -> '192.168.*.*' | ||
| """ | ||
| parts = ip.split(".") | ||
| if len(parts) == 4: | ||
| return f"{parts[0]}.{parts[1]}.*.*" | ||
| return "*.*.*.*" | ||
|
|
||
| def list(self) -> List[Dict[str, str]]: | ||
| """ | ||
| List all active network connections. |
| ) | ||
| print( | ||
| f"- {client['mac_address']} ({client.get('ip_address', 'Unknown IP')}){hostname}") | ||
| f"- {client['mac_address']} ({client.get('ip_address', 'Unknown IP')}){hostname}" |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
To fix the problem, we should avoid printing sensitive client information (MAC address, IP address, and hostname) in clear text. Instead, we can print only non-sensitive summary information, such as the number of connected clients. If more detailed information is needed for debugging, it should be gated behind an explicit debug flag or only made available to trusted users. In the code region shown, specifically lines 665–674, we should remove or redact the printing of sensitive fields. For example, we can print only the count of connected clients, or, if necessary, mask the MAC and IP addresses (e.g., show only the last few characters). No new imports are needed for simple redaction.
| @@ -662,16 +662,8 @@ | ||
| else: | ||
| # Default behavior: print client info | ||
| if clients: | ||
| print(f"\n{len(clients)} clients connected:") | ||
| for client in clients: | ||
| hostname = ( | ||
| f" ({client['hostname']})" | ||
| if "hostname" in client and client["hostname"] | ||
| else "" | ||
| ) | ||
| print( | ||
| f"- {client['mac_address']} ({client.get('ip_address', 'Unknown IP')}){hostname}" | ||
| ) | ||
| print(f"\n{len(clients)} clients connected.") | ||
| # Detailed client information is not printed to avoid exposing sensitive data. | ||
| else: | ||
| print("\nNo clients connected") | ||
|
|
pre-commit-ci
bot
force-pushed
the
pre-commit-ci-update-config
branch
from
f7e07c5 to
cb7d731
Compare
updates: - [github.com/pre-commit/pre-commit-hooks: v5.0.0 → v6.0.0](pre-commit/pre-commit-hooks@v5.0.0...v6.0.0) - https://github.com/psf/black → https://github.com/psf/black-pre-commit-mirror - [github.com/psf/black-pre-commit-mirror: 24.10.0 → 25.9.0](psf/black-pre-commit-mirror@24.10.0...25.9.0)
pre-commit-ci
bot
force-pushed
the
pre-commit-ci-update-config
branch
from
b907d44 to
1ac9184
Compare
for more information, see https://pre-commit.ci
updates: