fix(sdk): redact sensitive info from ZipDeploy logs#3448
Open
jviau wants to merge 2 commits into
Open
Conversation
Publish and deployment URLs can carry secrets - credentials embedded as user info (https://user:pass@host) or tokens in the query string (e.g. a SAS ?sig=...). These were written verbatim to build logs, which are often captured by CI systems and shared. Add UriLogExtensions.ToLogSafeString() (Uri and string overloads) that retains only scheme, host, optional port, and path, stripping user info, query, and fragment. Apply it to every URL log site in ZipDeploy and DeploymentClient (begin/success/failure/invalid/insecure publish messages and the async deployment location/poll-failure messages).
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses a security/logging concern in the Azure Functions .NET SDK ZipDeploy publishing flow by ensuring deployment URLs written to build logs are redacted to avoid leaking credentials (user info) and secrets in query strings/fragments.
Changes:
- Introduces
UriLogExtensions.ToLogSafeString()to strip user info, query, and fragment from URLs before logging. - Applies redaction to ZipDeploy and async-deployment polling log sites (including server-provided
Locationheader logging). - Adds unit/regression tests and updates existing test expectations; adds a release note entry.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| test/Azure.Functions.Sdk.Tests/UriLogExtensionsTests.cs | New unit tests validating URL redaction behavior for Uri and string overloads. |
| test/Azure.Functions.Sdk.Tests/Tasks/Publish/ZipDeployTaskTests.cs | Updates log expectations to match redacted URLs; adds regression coverage for credential/query redaction. |
| src/Azure.Functions.Sdk/ZipDeploy/DeploymentClient.cs | Redacts Location header values before logging async deployment/polling messages. |
| src/Azure.Functions.Sdk/UriLogExtensions.cs | Adds new log-safe URL redaction extensions used by ZipDeploy-related logging. |
| src/Azure.Functions.Sdk/Tasks/Publish/ZipDeploy.cs | Uses ToLogSafeString() when logging publish/deployment URLs (begin/success/failure/validation). |
| src/Azure.Functions.Sdk/release_notes.md | Adds a release note entry for redacting sensitive info from ZipDeploy logs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
RedactRawUrl treated any '@' as a user-info delimiter, so values without a '//' authority (e.g. mailto:user@example.com, relative path api/@me) and '@' characters in the path were incorrectly rewritten. Only strip user-info when a '//' authority marker is present and the '@' falls within the authority region (before the first path '/').
kshyju
approved these changes
Jul 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue describing the changes in this PR
resolves #3398
Follow-up to the review question on #3387 (discussion): "Could this potentially log sensitive information? Do we need to sanitize this URL or ensure we're not logging query strings?"
The concern is valid. Publish/deployment URLs can carry secrets:
https://user:password@host).?sig=...), notably for blob-container / pre-signed scenarios.These were being written verbatim to build logs (frequently captured by CI systems and shared). I also confirmed that
new Uri(baseUri, relativePath)preserves the base URI's user info, so the resolved deployment URI logged on success/failure would leak embedded credentials even though the query is replaced.Fix: Added
UriLogExtensions.ToLogSafeString()(Uriandstringoverloads) that retains only scheme, host, optional port, and path — stripping user info, query, and fragment (best-effort for values that don't parse as an absolute URI, and for relative URIs). Applied it to every URL log site:ZipDeploy.cs:Deploy_BeginPublish,Deploy_CompletedSuccess,Deploy_CompletedFailure,Deploy_Failed,Deploy_InvalidPublishUrl,Deploy_InsecurePublishUrl.DeploymentClient.cs:Deploy_AsyncDeployment,Deploy_PollFailure(server-providedLocationheader).Pull request checklist
release_notes.mdAdditional information
UriLogExtensionsTestsunit tests cover user-info/query/fragment stripping, non-default vs default ports, http scheme, relative URIs, null/empty, and best-effort redaction of non-absolute strings.ZipDeployTaskTestsproving credentials and query inPublishUrlare redacted from the logged deployment URL.ZipDeployTaskTestsexpectations (the logged URL no longer includes the?isAsync=truequery).PLACEHOLDERto avoid secret scanning.netstandard2.0andnet472; fullAzure.Functions.Sdk.Testssuite passes onnet472andnet10.0.