From 09c38e3f44eea94250efbe726c5f6ad6b61d66c4 Mon Sep 17 00:00:00 2001 From: Shefeek Jinnah Date: Wed, 25 Feb 2026 15:47:06 +0530 Subject: [PATCH 1/8] Fix (engine) : Cleartext logging of sensitive information --- src/engine.rs | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/engine.rs b/src/engine.rs index e442561..9d41952 100644 --- a/src/engine.rs +++ b/src/engine.rs @@ -688,9 +688,12 @@ impl RuntimeEngine { )) .await?; - info!("Execution completed in {:?}", start.elapsed()); - let row_count: usize = results.iter().map(|b| b.num_rows()).sum(); + info!( + rows = row_count, + elapsed = ?start.elapsed(), + "Execution completed" + ); tracing::Span::current().record("runtimedb.rows_returned", row_count); Ok(QueryResponse { From bf12049d1b3fb871da467c3dd22ad41a9ee17eb5 Mon Sep 17 00:00:00 2001 From: Shefeek Jinnah Date: Wed, 25 Feb 2026 15:52:51 +0530 Subject: [PATCH 2/8] trying to trigger security scan --- src/engine.rs | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/src/engine.rs b/src/engine.rs index 9d41952..99e7c02 100644 --- a/src/engine.rs +++ b/src/engine.rs @@ -688,12 +688,9 @@ impl RuntimeEngine { )) .await?; + info!("Execution completed in {:?}", start.elapsed()); + let row_count: usize = results.iter().map(|b| b.num_rows()).sum(); - info!( - rows = row_count, - elapsed = ?start.elapsed(), - "Execution completed" - ); tracing::Span::current().record("runtimedb.rows_returned", row_count); Ok(QueryResponse { @@ -3001,7 +2998,7 @@ impl RuntimeEngineBuilder { // Get actual object stores for instrumentation (preserves full config like MinIO path-style) let object_stores: Vec<_> = storage.get_object_store().into_iter().collect(); - // Build liquid-cache config if server is configured + // Build liquid-cache config if server is configured (credentials passed securely) let liquid_cache_config = self.liquid_cache_server.map(|server| { let store_configs: Vec<_> = storage.get_object_store_config().into_iter().collect(); (server, store_configs) From 73fa02d46ebf935e7821dd2805b7d1d37994b66b Mon Sep 17 00:00:00 2001 From: Shefeek Jinnah Date: Wed, 25 Feb 2026 15:59:16 +0530 Subject: [PATCH 3/8] trying one more change --- src/engine.rs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/engine.rs b/src/engine.rs index 99e7c02..32f5a6f 100644 --- a/src/engine.rs +++ b/src/engine.rs @@ -2998,9 +2998,10 @@ impl RuntimeEngineBuilder { // Get actual object stores for instrumentation (preserves full config like MinIO path-style) let object_stores: Vec<_> = storage.get_object_store().into_iter().collect(); - // Build liquid-cache config if server is configured (credentials passed securely) + // Build liquid-cache config if server is configured let liquid_cache_config = self.liquid_cache_server.map(|server| { - let store_configs: Vec<_> = storage.get_object_store_config().into_iter().collect(); + let store_configs: Vec<_> = + storage.get_object_store_config().into_iter().collect(); (server, store_configs) }); From 431aed7bfb21328de73f04bba6d5467a36c9d6f2 Mon Sep 17 00:00:00 2001 From: Shefeek Jinnah Date: Wed, 25 Feb 2026 16:02:38 +0530 Subject: [PATCH 4/8] Adding logs --- src/engine.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/src/engine.rs b/src/engine.rs index 32f5a6f..86c92a8 100644 --- a/src/engine.rs +++ b/src/engine.rs @@ -3002,6 +3002,7 @@ impl RuntimeEngineBuilder { let liquid_cache_config = self.liquid_cache_server.map(|server| { let store_configs: Vec<_> = storage.get_object_store_config().into_iter().collect(); + info!("Liquid cache configured with {} store(s) for server {}", store_configs.len(), server); (server, store_configs) }); From 179b96e40811646f96c2a1a57963a8b523d89d8a Mon Sep 17 00:00:00 2001 From: Shefeek Jinnah Date: Wed, 25 Feb 2026 16:18:20 +0530 Subject: [PATCH 5/8] more changes --- src/engine.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/engine.rs b/src/engine.rs index 86c92a8..2e73798 100644 --- a/src/engine.rs +++ b/src/engine.rs @@ -3002,7 +3002,9 @@ impl RuntimeEngineBuilder { let liquid_cache_config = self.liquid_cache_server.map(|server| { let store_configs: Vec<_> = storage.get_object_store_config().into_iter().collect(); - info!("Liquid cache configured with {} store(s) for server {}", store_configs.len(), server); + for (url, options) in &store_configs { + tracing::debug!("Liquid cache store config: url={}, options={:?}", url, options); + } (server, store_configs) }); From 60b4288bd8288bd30b61a9aa3751170dcc1efefb Mon Sep 17 00:00:00 2001 From: Shefeek Jinnah Date: Wed, 25 Feb 2026 16:27:48 +0530 Subject: [PATCH 6/8] trying some more fix --- src/engine.rs | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/src/engine.rs b/src/engine.rs index 2e73798..ba9cb32 100644 --- a/src/engine.rs +++ b/src/engine.rs @@ -334,7 +334,7 @@ impl RuntimeEngine { let server = config.liquid_cache.server_address.as_ref().ok_or_else(|| { anyhow::anyhow!("liquid cache enabled but server_address not set") })?; - info!("Enabling liquid cache with server: {}", server); + info!(server = %server, "Enabling liquid cache"); builder = builder.liquid_cache_server(server.clone()); } @@ -477,7 +477,7 @@ impl RuntimeEngine { let cache_prefix = self.storage.cache_prefix(connection_id); if let Err(e) = self.storage.delete_prefix(&cache_prefix).await { - warn!("Failed to delete cache prefix {}: {}", cache_prefix, e); + warn!(prefix = %cache_prefix, error = %e, "Failed to delete cache prefix"); } Ok(()) @@ -488,7 +488,7 @@ impl RuntimeEngine { // Delete versioned cache directory if it exists if let Some(parquet_path) = &table_info.parquet_path { if let Err(e) = self.storage.delete_prefix(parquet_path).await { - warn!("Failed to delete cache directory {}: {}", parquet_path, e); + warn!(path = %parquet_path, error = %e, "Failed to delete cache directory"); } } @@ -543,7 +543,7 @@ impl RuntimeEngine { // via the async ConnectionsCatalogList. No pre-registration with DataFusion needed. tracing::Span::current().record("runtimedb.connection_id", &connection_id); - info!("Connection '{}' registered (discovery pending)", name); + info!(connection = %name, id = %connection_id, "Connection registered (discovery pending)"); Ok(connection_id) } @@ -616,7 +616,7 @@ impl RuntimeEngine { ) )] pub async fn execute_query(&self, sql: &str) -> Result { - info!("Executing query: {}", sql); + info!(sql = %sql, "Executing query"); let start = Instant::now(); if crate::telemetry::include_sql_in_traces() { tracing::Span::current().record("runtimedb.sql", sql); @@ -627,7 +627,7 @@ impl RuntimeEngine { // Step 1: Parse SQL into a statement let dialect = session_state.config().options().sql_parser.dialect; let statement = session_state.sql_to_statement(sql, &dialect).map_err(|e| { - error!("SQL parse error: {}", e); + error!(error = %e, "SQL parse error"); e })?; @@ -635,7 +635,7 @@ impl RuntimeEngine { let references = session_state .resolve_table_references(&statement) .map_err(|e| { - error!("Failed to resolve table references: {}", e); + error!(error = %e, "Failed to resolve table references"); e })?; @@ -649,7 +649,7 @@ impl RuntimeEngine { .instrument(tracing::info_span!("resolve_catalogs")) .await .map_err(|e| { - error!("Failed to resolve catalogs: {}", e); + error!(error = %e, "Failed to resolve catalogs"); e })?; @@ -666,7 +666,7 @@ impl RuntimeEngine { .instrument(tracing::info_span!("statement_to_plan")) .await .map_err(|e| { - error!("Planning error: {}", e); + error!(error = %e, "Planning error"); e })?; @@ -676,7 +676,7 @@ impl RuntimeEngine { // Execute physical plan and collect results let results = async { let results = df.collect().await.map_err(|e| { - error!("Error getting query result: {}", e); + error!(error = %e, "Error getting query result"); e })?; tracing::Span::current().record("runtimedb.batches_collected", results.len()); @@ -688,7 +688,7 @@ impl RuntimeEngine { )) .await?; - info!("Execution completed in {:?}", start.elapsed()); + info!(elapsed = ?start.elapsed(), "Execution completed"); let row_count: usize = results.iter().map(|b| b.num_rows()).sum(); tracing::Span::current().record("runtimedb.rows_returned", row_count); @@ -3002,9 +3002,6 @@ impl RuntimeEngineBuilder { let liquid_cache_config = self.liquid_cache_server.map(|server| { let store_configs: Vec<_> = storage.get_object_store_config().into_iter().collect(); - for (url, options) in &store_configs { - tracing::debug!("Liquid cache store config: url={}, options={:?}", url, options); - } (server, store_configs) }); From e2a33f0da80a2d7c07433164ae794fded1b60638 Mon Sep 17 00:00:00 2001 From: Shefeek Jinnah Date: Wed, 25 Feb 2026 16:47:20 +0530 Subject: [PATCH 7/8] fix(catalog): skip secret_id in tracing instrument spans --- src/catalog/caching_manager.rs | 2 +- src/catalog/postgres_manager.rs | 2 +- src/catalog/sqlite_manager.rs | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/catalog/caching_manager.rs b/src/catalog/caching_manager.rs index d832994..9b7a752 100644 --- a/src/catalog/caching_manager.rs +++ b/src/catalog/caching_manager.rs @@ -758,7 +758,7 @@ impl CatalogManager for CachingCatalogManager { self.inner().run_migrations().await } - #[tracing::instrument(name = "catalog.add_connection", skip(self, config_json))] + #[tracing::instrument(name = "catalog.add_connection", skip(self, config_json, secret_id))] async fn add_connection( &self, name: &str, diff --git a/src/catalog/postgres_manager.rs b/src/catalog/postgres_manager.rs index ca2e65d..fe8d849 100644 --- a/src/catalog/postgres_manager.rs +++ b/src/catalog/postgres_manager.rs @@ -135,7 +135,7 @@ impl CatalogManager for PostgresCatalogManager { #[tracing::instrument( name = "catalog_add_connection", - skip(self, config_json), + skip(self, config_json, secret_id), fields(db = "postgres") )] async fn add_connection( diff --git a/src/catalog/sqlite_manager.rs b/src/catalog/sqlite_manager.rs index 8d20685..f83a3b9 100644 --- a/src/catalog/sqlite_manager.rs +++ b/src/catalog/sqlite_manager.rs @@ -176,7 +176,7 @@ impl CatalogManager for SqliteCatalogManager { #[tracing::instrument( name = "catalog_add_connection", - skip(self, config_json), + skip(self, config_json, secret_id), fields(db = "sqlite") )] async fn add_connection( From 2492df66872f83d88460b19ec914481031254484 Mon Sep 17 00:00:00 2001 From: Shefeek Jinnah Date: Wed, 25 Feb 2026 17:00:46 +0530 Subject: [PATCH 8/8] Revert "fix(catalog): skip secret_id in tracing instrument spans" This reverts commit e2a33f0da80a2d7c07433164ae794fded1b60638. --- src/catalog/caching_manager.rs | 2 +- src/catalog/postgres_manager.rs | 2 +- src/catalog/sqlite_manager.rs | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/catalog/caching_manager.rs b/src/catalog/caching_manager.rs index 9b7a752..d832994 100644 --- a/src/catalog/caching_manager.rs +++ b/src/catalog/caching_manager.rs @@ -758,7 +758,7 @@ impl CatalogManager for CachingCatalogManager { self.inner().run_migrations().await } - #[tracing::instrument(name = "catalog.add_connection", skip(self, config_json, secret_id))] + #[tracing::instrument(name = "catalog.add_connection", skip(self, config_json))] async fn add_connection( &self, name: &str, diff --git a/src/catalog/postgres_manager.rs b/src/catalog/postgres_manager.rs index fe8d849..ca2e65d 100644 --- a/src/catalog/postgres_manager.rs +++ b/src/catalog/postgres_manager.rs @@ -135,7 +135,7 @@ impl CatalogManager for PostgresCatalogManager { #[tracing::instrument( name = "catalog_add_connection", - skip(self, config_json, secret_id), + skip(self, config_json), fields(db = "postgres") )] async fn add_connection( diff --git a/src/catalog/sqlite_manager.rs b/src/catalog/sqlite_manager.rs index f83a3b9..8d20685 100644 --- a/src/catalog/sqlite_manager.rs +++ b/src/catalog/sqlite_manager.rs @@ -176,7 +176,7 @@ impl CatalogManager for SqliteCatalogManager { #[tracing::instrument( name = "catalog_add_connection", - skip(self, config_json, secret_id), + skip(self, config_json), fields(db = "sqlite") )] async fn add_connection(