@eldar702checks…fix/2963-trigger-log-payload-redact → next3 files · +53 −2review: @jkomynoupdated 3d agoTriggerSubscription._handle_event (python/composio/core/models/triggers.py) logged the entire raw webhook event string at ERROR level whenever _parse_payload returned None:
self.logger.error(f"Error parsing trigger payload: {event}")
Provider webhook payloads can carry access_token, oauth_token, and other secrets. When parsing fails for any reason, those credentials end up written to log files — a credential-leak. Reported in #2963.
Log only the payload length and an explicit note that the payload was omitted, instead of interpolating the raw event:
self.logger.error(
f"Error parsing trigger payload (len={len(event)}); "
"payload omitted to avoid leaking secrets"
)
No secret material reaches the logs, while parse failures stay observable (an ERROR is still emitted). 1 file, ~5 LOC, no new dependencies, no public API change.
Added TestHandleEventLogging in python/tests/test_triggers.py. It drives _handle_event with an unparseable event embedding a sentinel secret (access_token=SUPER_SECRET_TOKEN_2963) and asserts:
caplog), and"Error parsing trigger payload" error is still logged.Verified RED on the unpatched code (sentinel leaked into the log line) → GREEN after the fix.
Added .changeset/redact-trigger-parse-error-log.md (@composio/core: patch), following the pattern recent Python-SDK fixes use (e.g. #3380, #3398).
$ uv run --group dev python -m pytest tests/test_triggers.py -q
50 passed in 0.07s
$ uv run --group dev ruff check composio/core/models/triggers.py tests/test_triggers.py
All checks passed!
$ uv run --group dev ruff format --check ...
2 files already formatted
🤖 AI-assistance: Claude (Opus 4.8), reviewed
@eldar702 is attempting to deploy a commit to the Composio Team on Vercel.
A member of the Team first needs to authorize it.