Hello! I was debugging the logs emited by the connector and I found that the class DefaultStreamLoader exposes sensitive information like the username and password used to connect to starrocks during the loadstream process.

https://github.com/StarRocks/starrocks-connector-for-apache-flink/blob/main/starrocks-stream-load-sdk/src/main/java/com/starrocks/data/load/stream/DefaultStreamLoader.java#L131

public void start(StreamLoadProperties properties, StreamLoadManager manager) {
        if (start.compareAndSet(false, true)) {
            // previous code
           // ....
           // the last line contains the next messge:
            log.info("Default Stream Loader start, properties : {}, defaultHeaders : {}",
                    propertiesStr, headerStr);
        }
    }

The defaultHeaders is printing sensitive information , this is a sample of the collected log:
Default Stream Loader start, properties : {"jdbcUrl":"jdbc:mysql://my-starrocks-service:9030","loadUrls":["http://my-starrocks-service:8030","http://my-starrocks-service:8030"],"username":"my-user","version":"3.1.17-67ae3b7","starRocksVersion":{"major":3,"minor":1,"patch":17},"labelPrefix":null,"defaultTableProperties":{"uniqueKey":"mydb.mytable","database":"mydb","table":"mytable","dataFormat":"JsonFormat{first=[, delimiter=,, end=]}","tableProperties":{},"properties":{"db":"mydb","table":"mytable"},"enableUpsertDelete":true,"chunkLimit":3221225472,"maxBufferRows":2147483647,"columns":null,"commonProperties":{"format":"json"}},"tablePropertiesMap":{},"enableTransaction":true,"scanningFrequency":50,"maxCacheBytes":94371840,"expectDelayTime":300000,"connectTimeout":30000,"socketTimeout":-1,"waitForContinueTimeoutMs":30000,"ioThreadCount":2,"writingThreshold":50,"regionBufferRatio":0.6,"youngThreshold":0.1,"oldThreshold":0.9,"maxRetries":0,"retryIntervalInMs":10000,"headers":{"format":"json","strip_outer_array":"true","ignore_json_size":"true"},"opAutoProjectionInJson":true}, defaultHeaders : [{"name":"format","value":"json","elements":[{"name":"json","value":null,"parameters":[],"parameterCount":0}]},{"name":"Authorization","value":"Basic bXktdXNlcjpteS1wYXNzd29yZA==","elements":[{"name":"Basic bXktdXNlcjpteS1wYXNzd29yZA","value":"=","parameters":[],"parameterCount":0}]},{"name":"strip_outer_array","value":"true","elements":[{"name":"true","value":null,"parameters":[],"parameterCount":0}]},{"name":"Expect","value":"100-continue","elements":[{"name":"100-continue","value":null,"parameters":[],"parameterCount":0}]},{"name":"ignore_json_size","value":"true","elements":[{"name":"true","value":null,"parameters":[],"parameterCount":0}]},{"name":"timeout","value":"600","elements":[{"name":"600","value":null,"parameters":[],"parameterCount":0}]}]

It is super easy to transform the Authorization value from base64 to a plain text and get the password!, what if simple remove this log or change the shown data? other posible option can be become a debug log, not info.

Regards,
Fabri