Proxy URL log can expose proxy credentials

[henriquevcosta]

Reproducible in:

The Slack SDK version

slack_sdk==3.39.0

Python runtime version

Python 3.11.10

OS info

22.04.1-Ubuntu SMP Tue Dec 2 12:52:18 UTC 2025

Steps to reproduce:

Run the following

import os
from slack_sdk.web import WebClient
import logging
os.environ["HTTPS_PROXY"]="http://bob:secret@example.com"

logging.basicConfig(level=logging.DEBUG)
x = WebClient(token='fake')

Expected result:

The credentials part of the proxy URL should be redacted or the URL not printed at all.

Actual result:

The full URL gets printed, including user:pass

DEBUG:slack_sdk.web.base_client:HTTP proxy URL has been loaded from an env variable: http://bob:secret@example.com

[WilliamBergamin]

Hi @henriquevcosta thanks for reporting this 💯

We consider setting the log level to DEBUG as "proceed with caution" in terms of security. I've reached out to others to validate what behavior the SDK should implement

We could consider not log the proxy configurations at all or potentially mask the critical sections of the configurations with something like the following

def mask_proxy_secure(proxy_url):
    # Method 2: URL parsing (more robust)
    parsed = urlparse(proxy_url)
    # Rebuild URL without netloc credentials
    safe_netloc = parsed.hostname
    if parsed.port:
        safe_netloc += f":{parsed.port}"
    # Replace netloc and clear user info
    safe_url = parsed.replace(netloc=safe_netloc)
    return urlunparse(safe_url)

As a quick work around you can configure your logger to omit logging this line with something like

class ProxyLogFilter(logging.Filter):
    def filter(self, record):
        return "proxy URL has been loaded" not in record.getMessage()

logging.basicConfig(level=logging.DEBUG)

slack_logger = logging.getLogger("slack_sdk.web.base_client")
slack_logger.addFilter(ProxyLogFilter())

os.environ["HTTPS_PROXY"]="http://bob:secret@example.com"

x = WebClient(token='fake')