Skip to content

Commit 3cf1c6d

Browse files
fix(security): redact common secret bearing key value patterns
Potential fix for code scanning alert: "Clear-text logging of sensitive information" Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
1 parent b646143 commit 3cf1c6d

1 file changed

Lines changed: 17 additions & 1 deletion

File tree

agent/src/server.py

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212
import contextlib as _ctx_for_debug
1313
import logging
1414
import os
15+
import re
1516
import threading
1617
import time as _time_for_debug
1718
import traceback
@@ -31,12 +32,27 @@
3132

3233

3334
def _redact_cached_credentials(text: str) -> str:
34-
"""Remove cached env secrets from debug text before stdout / CloudWatch."""
35+
"""Remove sensitive material from debug text before stdout / CloudWatch."""
3536
out = text
37+
38+
# 1) Redact exact cached secret values when present.
3639
for env_key in ("GITHUB_TOKEN", "LINEAR_API_TOKEN"):
3740
secret = os.environ.get(env_key) or ""
3841
if len(secret) >= 12:
3942
out = out.replace(secret, f"<{env_key}_REDACTED>")
43+
44+
# 2) Redact common secret-bearing key/value patterns.
45+
secret_patterns = (
46+
r"(?i)\b(github_token|linear_api_token|token|secret|api[_-]?key|password)\b\s*[:=]\s*([^\s,;]+)",
47+
r"(?i)\b(authorization)\b\s*[:=]\s*(bearer\s+)?([^\s,;]+)",
48+
)
49+
for pattern in secret_patterns:
50+
out = re.sub(
51+
pattern,
52+
lambda m: f"{m.group(1)}=<REDACTED>",
53+
out,
54+
)
55+
4056
return out
4157

4258

0 commit comments

Comments
 (0)