fix(database): mask SSH tunnel credentials explicitly on read paths

[rusackas]

SUMMARY

SSH tunnel credential fields (password, private_key, private_key_password) are masked on the database write paths (POST / PUT) via mask_password_info(). On the read paths — GET /api/v1/database/<pk> and GET /api/v1/database/<pk>/connection — the response attached database.ssh_tunnel.data directly, relying solely on the SSHTunnel.data property to mask those fields.

This applies mask_password_info() explicitly on the read paths as well, so the masking contract is enforced at the API boundary consistently with the write paths and is robust to any future change in SSHTunnel.data. Masking is idempotent, so this is safe alongside the property's existing behavior.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

N/A — backend serialization behavior.

TESTING INSTRUCTIONS

Added test_get_database_ssh_tunnel_credentials_are_masked in tests/integration_tests/databases/api_tests.py:

• Creates a database with an SSH tunnel carrying password, private_key, and private_key_password.
• Asserts all three are masked (XXXXXXXXXX) on both GET /<pk> and GET /<pk>/connection.
• Asserts the stored credentials remain intact (only the response is masked).

Run: pytest tests/integration_tests/databases/api_tests.py -k ssh_tunnel

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[bito-code-review]

Code Review Agent Run #157fee

Actionable Suggestions - 0

Additional Suggestions - 1

• tests/integration_tests/databases/api_tests.py - 1

  • Hardcoded mask instead of constant · Line 385-385
    Use the canonical `PASSWORD_MASK` constant (`"X" * 10` from `superset/constants.py:39`) instead of hardcoding the string. The hardcoded `"XXXXXXXXXX"` matches the current value but is a maintenance risk — if `PASSWORD_MASK` ever changes, this test would silently miss regressions. Also remove the redundant `# noqa: S105` comments since PASSWORD_MASK references no longer contain the word "password".

Review Details

• Files reviewed - 2 · Commit Range: f48ec58..f48ec58

  • superset/databases/api.py
  • tests/integration_tests/databases/api_tests.py
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • MyPy (Static Code Analysis) - ✔︎ Successful
  • Astral Ruff (Static Code Analysis) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.35%. Comparing base (3b46a5f) to head (f48ec58).

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #41293   +/-   ##
=======================================
  Coverage   64.34%   64.35%           
=======================================
  Files        2653     2653           
  Lines      144952   144952           
  Branches    33433    33433           
=======================================
+ Hits        93272    93284   +12     
+ Misses      49996    49976   -20     
- Partials     1684     1692    +8     

Flag	Coverage Δ
hive	39.27% <0.00%> (ø)
mysql	58.02% <100.00%> (+0.02%)	⬆️
postgres	58.09% <100.00%> (+0.02%)	⬆️
presto	40.86% <0.00%> (ø)
python	59.53% <100.00%> (+0.02%)	⬆️
sqlite	57.72% <0.00%> (ø)
unit	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.