diff --git a/.jules/sentinel.md b/.jules/sentinel.md index e644cad..d2cc8c5 100644 --- a/.jules/sentinel.md +++ b/.jules/sentinel.md @@ -39,3 +39,8 @@ **Vulnerability:** The `filterSensitiveFields` function in `src/providers/index.ts` used a manual recursive loop to drop sensitive keys, but it failed to recurse into arrays. If a configuration object contained an array with sensitive nested objects, those secrets would be leaked in debug logs. **Learning:** Manual object traversal for redaction is prone to edge cases (like arrays or circular references). **Prevention:** Use a custom replacer function with `JSON.stringify` to safely and completely redact sensitive fields across all nested structures. + +## 2026-03-12 - Secret Leakage of Common Web Authentication Tokens +**Vulnerability:** The `isSensitiveKey` function missed common credential identifiers like `bearer`, `session`, `jwt`, and `cookie`. These are frequently used in headers and objects, leading to plaintext exposure in logs. +**Learning:** Hardcoded sensitive key patterns need to account for diverse authentication mechanisms, not just generic "key" or "secret" terms. +**Prevention:** Include a comprehensive set of common credential token names (`bearer`, `session`, `jwt`, `cookie`) in the `SENSITIVE_KEY_PATTERNS` array. diff --git a/src/sensitive.ts b/src/sensitive.ts index 3917a58..6bf387e 100644 --- a/src/sensitive.ts +++ b/src/sensitive.ts @@ -8,6 +8,10 @@ const SENSITIVE_KEY_PATTERNS = [ "auth", "credential", "authorization", + "bearer", + "session", + "jwt", + "cookie", ]; export function isSensitiveKey(key: string): boolean {