Skip to content

CHORE: align connection string sanitizer with its documented key masking#653

Open
bewithgaurav wants to merge 3 commits into
mainfrom
bewithgaurav/sanitizer-mask-password-key
Open

CHORE: align connection string sanitizer with its documented key masking#653
bewithgaurav wants to merge 3 commits into
mainfrom
bewithgaurav/sanitizer-mask-password-key

Conversation

@bewithgaurav

@bewithgaurav bewithgaurav commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

Work Item / Issue Reference

Fixed AB#46030


Summary

sanitize_connection_string documents masking of the PWD and Password keys, but
_SENSITIVE_KEYS only listed pwd, so the Password synonym passed through unmasked.
this adds password to _SENSITIVE_KEYS so the implementation matches its documented
behavior, plus regression tests for password / Password / PASSWORD and a braced value.

sanitize_connection_string documents masking of the PWD and Password keys, but _SENSITIVE_KEYS only listed pwd, so the password synonym passed through unmasked. add password to _SENSITIVE_KEYS so the implementation matches the docstring, and add regression tests covering password / Password / PASSWORD and a braced value.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions github-actions Bot added the pr-size: small Minimal code update label Jun 30, 2026
Comment thread tests/test_007_logging.py Dismissed
Comment thread tests/test_007_logging.py Dismissed
Comment thread tests/test_007_logging.py Dismissed
Comment thread tests/test_007_logging.py Dismissed
Comment thread tests/test_007_logging.py Dismissed
@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown

📊 Code Coverage Report

🔥 Diff Coverage

100%


🎯 Overall Coverage

80%


📈 Total Lines Covered: 6746 out of 8334
📁 Project: mssql-python


Diff Coverage

Diff: main...HEAD, staged and unstaged changes

  • mssql_python/connection_string_parser.py (100%)

Summary

  • Total: 1 line
  • Missing: 0 lines
  • Coverage: 100%

📋 Files Needing Attention

📉 Files with overall lowest coverage (click to expand)
mssql_python.pybind.logger_bridge.cpp: 59.2%
mssql_python.pybind.ddbc_bindings.h: 59.9%
mssql_python.pybind.logger_bridge.hpp: 70.8%
mssql_python.pybind.connection.connection.cpp: 76.2%
mssql_python.pybind.ddbc_bindings.cpp: 76.3%
mssql_python.row.py: 76.9%
mssql_python.__init__.py: 77.3%
mssql_python.ddbc_bindings.py: 79.6%
mssql_python.logging.py: 85.5%
mssql_python.connection.py: 85.6%

🔗 Quick Links

⚙️ Build Summary 📋 Coverage Details

View Azure DevOps Build

Browse Full Coverage Report

@bewithgaurav bewithgaurav marked this pull request as ready for review June 30, 2026 06:48
Copilot AI review requested due to automatic review settings June 30, 2026 06:48

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aligns sanitize_connection_string behavior with its documented contract by ensuring the Password synonym is treated as sensitive and masked, and adds regression tests to cover common password casings and braced values.

Changes:

  • Add "password" to the sanitizer’s _SENSITIVE_KEYS set so Password= values are masked.
  • Add tests covering password / Password / PASSWORD and a braced password value containing semicolons.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
mssql_python/connection_string_parser.py Expands sensitive key masking to include password alongside pwd.
tests/test_007_logging.py Adds regression tests for password synonym masking, casing variants, and braced values.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread tests/test_007_logging.py
Comment thread tests/test_007_logging.py
Comment thread tests/test_007_logging.py
Copilot AI and others added 2 commits June 30, 2026 12:23
…t absence

address review feedback: the password synonym tests asserted only that the secret substring was absent, which would also pass under full-redaction fallback. assert password=*** is present and that the output did not fall back to the redacted placeholder.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

pr-size: small Minimal code update

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants