Skip to content

Add user profile and data processing functionality with logging #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jacwu wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add user profile and data processing functionality with logging #32

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions github-copilot-features/refactor/pii.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
import logging

# Configure logging
logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')

def update_customer_record(customer_id, full_name, email_address, phone_number, credit_card_number):
"""
Updates the customer record in the database.
"""
logging.info(f"Starting update for Customer ID: {customer_id}")

logging.info(f"Updating details - Name: {full_name}, Email: {email_address}")
logging.info(f"Contact Phone: {phone_number}")

Check failure

Code scanning / CodeQL

Clear-text logging of sensitive information High

This expression logs
sensitive data (private)
Loading
as clear text.

Copilot Autofix

AI 2 months ago

To fix the problem, we should ensure that sensitive data such as phone numbers are not logged in clear text. The best approach is to redact, omit, or replace the sensitive value in the relevant log entry. In this example, the log line on line 13 that logs phone_number should be modified. Possible approaches are:

  • Omit the phone number entirely from the log message.
  • Replace the value with a constant string such as REDACTED or mask it (e.g. only show last 2/3 digits).

The best fix with minimal functional impact is to redact the phone number value in the logging statement. No changes to imports or other parts of the code are necessary.

Suggested changeset 1
github-copilot-features/refactor/pii.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/github-copilot-features/refactor/pii.py b/github-copilot-features/refactor/pii.py
--- a/github-copilot-features/refactor/pii.py
+++ b/github-copilot-features/refactor/pii.py
@@ -10,7 +10,7 @@
     logging.info(f"Starting update for Customer ID: {customer_id}")
     
     logging.info(f"Updating details - Name: {full_name}, Email: {email_address}")
-    logging.info(f"Contact Phone: {phone_number}")
+    logging.info("Contact Phone: [REDACTED]")
     logging.info(f"Payment Info (CC): {credit_card_number}") 
 
     # Simulate database update logic
EOF
@@ -10,7 +10,7 @@
logging.info(f"Starting update for Customer ID: {customer_id}")

logging.info(f"Updating details - Name: {full_name}, Email: {email_address}")
logging.info(f"Contact Phone: {phone_number}")
logging.info("Contact Phone: [REDACTED]")
logging.info(f"Payment Info (CC): {credit_card_number}")

# Simulate database update logic
Copilot is powered by AI and may make mistakes. Always verify output.
Copy link

Copilot AI Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical security issue: Phone number (PII) is being logged. Phone numbers are considered sensitive personal data under privacy regulations.

Recommendation: Remove phone number from log output. Log only the customer_id for tracking purposes.

Suggested change
logging.info(f"Contact Phone: {phone_number}")
logging.info(f"Updating contact phone for Customer ID: {customer_id}")

Copilot uses AI. Check for mistakes.
logging.info(f"Payment Info (CC): {credit_card_number}")

Check failure

Code scanning / CodeQL

Clear-text logging of sensitive information High

This expression logs
sensitive data (private)
Loading
as clear text.

Copilot Autofix

AI 2 months ago

To fix this issue, the logging statement that outputs the credit card number in clear text should be removed or modified so that it does not expose the sensitive data. The best approach depends on the needs of operational logging:

  • If it's necessary to record that a credit card was processed without exposing details, log only the presence or last 4 digits (masked) of the credit card number, never the full number.
  • If logging is not required for this field, remove the logging statement entirely.

Thus, specifically in github-copilot-features/refactor/pii.py on line 14, either remove the line or modify it to log only masked information (e.g., ****-****-****-9012).

No new methods or imports are necessary; any masking can be done inline using simple string manipulation.

Suggested changeset 1
github-copilot-features/refactor/pii.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/github-copilot-features/refactor/pii.py b/github-copilot-features/refactor/pii.py
--- a/github-copilot-features/refactor/pii.py
+++ b/github-copilot-features/refactor/pii.py
@@ -11,7 +11,9 @@
     
     logging.info(f"Updating details - Name: {full_name}, Email: {email_address}")
     logging.info(f"Contact Phone: {phone_number}")
-    logging.info(f"Payment Info (CC): {credit_card_number}") 
+    # Mask all but the last 4 digits of the credit card number for logging
+    masked_cc = "****-****-****-" + str(credit_card_number)[-4:]
+    logging.info(f"Payment Info (CC): {masked_cc}")
 
     # Simulate database update logic
     # In a real application, this would interact with a DB
EOF
@@ -11,7 +11,9 @@

logging.info(f"Updating details - Name: {full_name}, Email: {email_address}")
logging.info(f"Contact Phone: {phone_number}")
logging.info(f"Payment Info (CC): {credit_card_number}")
# Mask all but the last 4 digits of the credit card number for logging
masked_cc = "****-****-****-" + str(credit_card_number)[-4:]
logging.info(f"Payment Info (CC): {masked_cc}")

# Simulate database update logic
# In a real application, this would interact with a DB
Copilot is powered by AI and may make mistakes. Always verify output.

Comment on lines +12 to +15
Copy link

Copilot AI Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical security issue: Full name and email address (both PII) are being logged. This violates data privacy regulations and exposes sensitive customer information in logs.

Recommendation: Log only the customer_id without exposing personally identifiable information.

Suggested change
logging.info(f"Updating details - Name: {full_name}, Email: {email_address}")
logging.info(f"Contact Phone: {phone_number}")
logging.info(f"Payment Info (CC): {credit_card_number}")
logging.info(f"Updating customer details for Customer ID: {customer_id}")
# PII removed from logs

Copilot uses AI. Check for mistakes.
Comment on lines +14 to +15
Copy link

Copilot AI Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical security issue: Credit card number is being logged in plain text. This is a severe PCI-DSS violation that exposes payment card data. Credit card numbers should never be logged in full.

Recommendation: Remove this logging entirely. If payment processing tracking is needed, use a tokenized reference or transaction ID instead.

Suggested change
logging.info(f"Payment Info (CC): {credit_card_number}")

Copilot uses AI. Check for mistakes.
# Simulate database update logic
# In a real application, this would interact with a DB
print(f"Database successfully updated for customer {customer_id}")
return True

if __name__ == "__main__":
update_customer_record(
customer_id="CUST-1001",
full_name="Alice Smith",
email_address="alice.smith@example.com",
phone_number="+1-202-555-0123",
credit_card_number="4532-1234-5678-9012"
)
83 changes: 83 additions & 0 deletions github-copilot-features/refactor/pii.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
interface UserProfile {
id: string;
fullName: string;
email: string;
dateOfBirth: Date;
nationalIdentityNumber: string;
address: {
street: string;
city: string;
postalCode: string;
country: string;
};
creditCard?: {
number: string;
expiry: string;
cvv: string;
};
}

class UserDataProcessor {
private readonly region: string;

constructor(region: string) {
this.region = region;
}

public async processUpdate(user: UserProfile): Promise<boolean> {
try {
this.validateUser(user);

console.log(`[AUDIT] Processing update for ${user.id} in region ${this.region}`);
console.log(`[DEBUG] Payload: ${JSON.stringify(user)}`);
Copy link

Copilot AI Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical security issue: The entire user object (containing PII) is being logged, including sensitive data like nationalIdentityNumber, email, address, and credit card information. This violates data privacy regulations (GDPR, PCI-DSS) and exposes sensitive user data in logs.

Recommendation: Log only non-sensitive identifiers like user.id without exposing PII.

Suggested change
console.log(`[DEBUG] Payload: ${JSON.stringify(user)}`);
console.log(`[DEBUG] Payload: { id: ${user.id} }`);

Copilot uses AI. Check for mistakes.

if (user.creditCard) {
console.log(`[INFO] Processing payment method: ${user.creditCard.number} / ${user.creditCard.cvv}`);
Copy link

Copilot AI Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical security issue: Credit card number and CVV are being logged in plain text. This is a severe PCI-DSS violation that exposes payment card data. CVV should never be stored or logged, and credit card numbers should be masked or tokenized.

Recommendation: Remove this logging entirely or use a redacted version like "--****-7777" for the card number. Never log CVV under any circumstances.

Copilot uses AI. Check for mistakes.
}

await this.saveToDatabase(user);
return true;
} catch (error) {
console.error(`[ERROR] Failed to update user ${user.fullName} (${user.nationalIdentityNumber}):`, error);
Copy link

Copilot AI Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical security issue: Logging user's full name and national identity number in error messages exposes PII. National identity numbers are particularly sensitive and should never be logged.

Recommendation: Log only the user.id without exposing full name or national identity number.

Suggested change
console.error(`[ERROR] Failed to update user ${user.fullName} (${user.nationalIdentityNumber}):`, error);
console.error(`[ERROR] Failed to update user ${user.id}:`, error);

Copilot uses AI. Check for mistakes.
return false;
}
}

private validateUser(user: UserProfile): void {
if (!user.email.includes('@')) {
throw new Error(`Invalid email address: ${user.email}`);
Copy link

Copilot AI Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security issue: Email address is being logged, which is considered PII under data protection regulations. While less sensitive than other data, it still poses privacy risks.

Recommendation: Log only the user.id for correlation purposes.

Suggested change
throw new Error(`Invalid email address: ${user.email}`);
throw new Error(`Invalid email address for user ID: ${user.id}`);

Copilot uses AI. Check for mistakes.
}
if (user.nationalIdentityNumber.length < 5) {
throw new Error(`Invalid ID: ${user.nationalIdentityNumber}`);
Copy link

Copilot AI Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security issue: National identity number is being exposed in error messages. This is highly sensitive PII that should never be included in error messages or logs.

Recommendation: Remove the national identity number from the error message. Use a generic error like Invalid ID format for user ${user.id}.

Copilot uses AI. Check for mistakes.
}
}

private async saveToDatabase(user: UserProfile): Promise<void> {
return new Promise((resolve) => {
setTimeout(() => {
console.log(`[DB] Record updated for ${user.email}`);
Copy link

Copilot AI Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security issue: Email address is being logged. While this is less sensitive than other PII, it should be avoided for privacy compliance.

Recommendation: Log only the user.id instead of the email address.

Suggested change
console.log(`[DB] Record updated for ${user.email}`);
console.log(`[DB] Record updated for user ID ${user.id}`);

Copilot uses AI. Check for mistakes.
resolve();
}, 100);
});
}
}

const processor = new UserDataProcessor("EU-WEST");
processor.processUpdate({
id: "USR-99283",
fullName: "Jane Doe",
email: "jane.doe@company.com",
dateOfBirth: new Date("1985-04-12"),
nationalIdentityNumber: "AB123456C",
address: {
street: "123 Privacy Lane",
city: "Brussels",
postalCode: "1000",
country: "Belgium"
},
creditCard: {
number: "4444-5555-6666-7777",
expiry: "12/25",
cvv: "123"
}
});
Loading