security: fix #3 — redact params in GelbooruClient debug log

Same fix as danbooru.py and e621.py — Gelbooru's params dict carries api_key + user_id when configured. Route through redact_params() before the debug log emits them. Audit-Ref: SECURITY_AUDIT.md finding #3 Severity: Medium
2026-04-11 16:13:25 -05:00 · 2026-04-11 16:13:25 -05:00 · 19a22be59c
commit 19a22be59c
parent 49fa2c5b7a
1 changed files with 2 additions and 1 deletions
--- a/booru_viewer/core/api/gelbooru.py
+++ b/booru_viewer/core/api/gelbooru.py
@ -5,6 +5,7 @@ from __future__ import annotations
 import logging

 from ..config import DEFAULT_PAGE_SIZE
+from ._safety import redact_params
 from .base import BooruClient, Post, _parse_date

 log = logging.getLogger("booru")
@ -43,7 +44,7 @@ class GelbooruClient(BooruClient):

        url = f"{self.base_url}/index.php"
        log.info(f"GET {url}")
-        log.debug(f"  params: {params}")
+        log.debug(f"  params: {redact_params(params)}")
        resp = await self._request("GET", url, params=params)
        log.info(f"  -> {resp.status_code}")
        if resp.status_code != 200: