From 062fb62bc969d385d8b032d9bab0e67c7a5fd130 Mon Sep 17 00:00:00 2001 From: tomaioo Date: Mon, 15 Jun 2026 05:07:51 -0700 Subject: [PATCH] fix(security): sensitive token data exposure in migration logging Migration 0079_apitoken_data.py prints the count of migrated tokens with `print(f" -> {len(migrated_tokens)} tokens migrated.")`. While this only logs the count, the migration handles sensitive API token data. More importantly, the migration reads plaintext tokens from the `authtoken_token` table and hashes them with `make_password(key)`. The use of `print()` in migrations can leak information to logs, and the migration's handling of plaintext tokens should ensure no token values are ever logged. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- scanpipe/migrations/0079_apitoken_data.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/scanpipe/migrations/0079_apitoken_data.py b/scanpipe/migrations/0079_apitoken_data.py index 3020de45a0..a0a9d41993 100644 --- a/scanpipe/migrations/0079_apitoken_data.py +++ b/scanpipe/migrations/0079_apitoken_data.py @@ -31,9 +31,7 @@ def migrate_api_tokens(apps, schema_editor): ) for user_id, key, created in rows ] - migrated_tokens = APIToken.objects.bulk_create(tokens_to_create, ignore_conflicts=True) - if migrated_tokens: - print(f" -> {len(migrated_tokens)} tokens migrated.") + APIToken.objects.bulk_create(tokens_to_create, ignore_conflicts=True) def reverse_migrate_api_tokens(apps, schema_editor):