Merge pull request #440 from kimocoder/alert-autofix-13

Potential fix for code scanning alert no. 13: Clear-text logging of sensitive information

Author: kimocoder

wifite/util/interface_manager.py

@@ -1707,10 +1707,19 @@ def get_available_interfaces() -> List[InterfaceInfo]:
                         # Task 11.1: Log interface capabilities
                         log_info('InterfaceManager', 
                                 f'  {interface_name}: {interface_info.get_capability_summary()}')
+                        # Mask MAC address to avoid logging full hardware identifier
+                        masked_mac = interface_info.mac_address
+                        try:
+                            if isinstance(interface_info.mac_address, str) and interface_info.mac_address:
+                                parts = interface_info.mac_address.split(':')
+                                if len(parts) == 6:
+                                    masked_mac = ':'.join(parts[:3] + ['**', '**', '**'])
+                        except Exception:
+                            pass
                         log_debug('InterfaceManager', 
                                  f'  {interface_name} details: driver={interface_info.driver}, '
                                  f'chipset={interface_info.chipset}, phy={interface_info.phy}, '
-                                 f'mac={interface_info.mac_address}')
+                                 f'mac={masked_mac}')
                         log_debug('InterfaceManager', 
                                  f'  {interface_name} state: mode={interface_info.current_mode}, '
                                  f'up={interface_info.is_up}, connected={interface_info.is_connected}')

wifite/util/logger.py

@@ -92,11 +92,71 @@ def _should_log(cls, level: int) -> bool:
         """Check if message should be logged based on level."""
         return cls._enabled and level >= cls._log_level
 
+    @classmethod
+    def _sanitize_message(cls, message: str) -> str:
+        """
+        Best-effort sanitization to avoid logging sensitive data in clear text.
+
+        Currently masks:
+          - Known wpa-sec API key from Configuration.wpasec_api_key
+          - Command-line API key arguments like "-k <value>" and "--key <value>"
+          - MAC addresses in standard hex notation (aa:bb:cc:dd:ee:ff)
+        """
+        try:
+            # Import lazily to avoid circular imports during module initialization
+            from ..config import Configuration  # type: ignore
+        except Exception:
+            Configuration = None  # type: ignore
+
+        sanitized = message
+
+        # Mask configured wpa-sec API key if present in message
+        try:
+            if Configuration is not None and getattr(Configuration, "wpasec_api_key", None):
+                api_key = Configuration.wpasec_api_key
+                if isinstance(api_key, str) and api_key:
+                    masked_key = api_key[:4] + "*" * (len(api_key) - 4) if len(api_key) > 4 else "****"
+                    sanitized = sanitized.replace(api_key, masked_key)
+        except Exception:
+            # Never let sanitization break logging
+            pass
+
+        # Mask common CLI key patterns: "-k <value>" and "--key <value>"
+        try:
+            import re
+
+            def _mask_cli_key(match):
+                flag = match.group(1)
+                return f"{flag} ****"
+
+            sanitized = re.sub(r"(-k)\s+\S+", _mask_cli_key, sanitized)
+            sanitized = re.sub(r"(--key)\s+\S+", _mask_cli_key, sanitized)
+        except Exception:
+            pass
+
+        # Mask MAC addresses: aa:bb:cc:dd:ee:ff -> aa:bb:cc:**:**:**
+        try:
+            import re
+
+            def _mask_mac(match):
+                full = match.group(0)
+                parts = full.split(":")
+                if len(parts) == 6:
+                    return ":".join(parts[:3] + ["**", "**", "**"])
+                return full
+
+            sanitized = re.sub(r"\b([0-9A-Fa-f]{2}:){5}[0-9A-Fa-f]{2}\b", _mask_mac, sanitized)
+        except Exception:
+            pass
+
+        return sanitized
+
     @classmethod
     def _format_message(cls, level: str, module: str, message: str) -> str:
         """Format log message with timestamp and level."""
         timestamp = datetime.now().strftime('%Y-%m-%d %H:%M:%S')
-        return f"[{timestamp}] [{level:8s}] [{module:20s}] {message}"
+        safe_message = cls._sanitize_message(message)
+        return f"[{timestamp}] [{level:8s}] [{module:20s}] {safe_message}"
 
     @classmethod
     def _write_to_file(cls, formatted_message: str):

wifite/util/process.py

@@ -151,7 +151,17 @@ def __init__(self, command, devnull=False, stdout=PIPE, stderr=PIPE, cwd=None, b
         self._devnull_handles = []
 
         cmd_str = " ".join(command) if isinstance(command, list) else str(command)
-        log_debug('Process', f'Creating process: {cmd_str}')
+        # Avoid logging sensitive arguments (e.g. API keys) in clear text
+        try:
+            import re
+            def _mask_cli_key(match):
+                flag = match.group(1)
+                return f"{flag} ****"
+            safe_cmd_str = re.sub(r"(-k)\s+\S+", _mask_cli_key, cmd_str)
+            safe_cmd_str = re.sub(r"(--key)\s+\S+", _mask_cli_key, safe_cmd_str)
+        except Exception:
+            safe_cmd_str = cmd_str
+        log_debug('Process', f'Creating process: {safe_cmd_str}')
 
         if Configuration.verbose > 1:
             Color.pe(f'\n {{C}}[?] {{W}} Executing: {{B}}{" ".join(command)}{{W}}')