From 5b9a5244e765ad83ef362772f203f789eef89d48 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Fri, 3 Jul 2026 12:56:46 +0000 Subject: [PATCH] feat: expand sensitive key patterns to prevent credential leakage Co-authored-by: hongymagic <302730+hongymagic@users.noreply.github.com> --- .jules/sentinel.md | 5 +++++ src/sensitive.ts | 4 ++++ 2 files changed, 9 insertions(+) diff --git a/.jules/sentinel.md b/.jules/sentinel.md index e644cad..d2cc8c5 100644 --- a/.jules/sentinel.md +++ b/.jules/sentinel.md @@ -39,3 +39,8 @@ **Vulnerability:** The `filterSensitiveFields` function in `src/providers/index.ts` used a manual recursive loop to drop sensitive keys, but it failed to recurse into arrays. If a configuration object contained an array with sensitive nested objects, those secrets would be leaked in debug logs. **Learning:** Manual object traversal for redaction is prone to edge cases (like arrays or circular references). **Prevention:** Use a custom replacer function with `JSON.stringify` to safely and completely redact sensitive fields across all nested structures. + +## 2026-03-12 - Secret Leakage of Common Web Authentication Tokens +**Vulnerability:** The `isSensitiveKey` function missed common credential identifiers like `bearer`, `session`, `jwt`, and `cookie`. These are frequently used in headers and objects, leading to plaintext exposure in logs. +**Learning:** Hardcoded sensitive key patterns need to account for diverse authentication mechanisms, not just generic "key" or "secret" terms. +**Prevention:** Include a comprehensive set of common credential token names (`bearer`, `session`, `jwt`, `cookie`) in the `SENSITIVE_KEY_PATTERNS` array. diff --git a/src/sensitive.ts b/src/sensitive.ts index 3917a58..6bf387e 100644 --- a/src/sensitive.ts +++ b/src/sensitive.ts @@ -8,6 +8,10 @@ const SENSITIVE_KEY_PATTERNS = [ "auth", "credential", "authorization", + "bearer", + "session", + "jwt", + "cookie", ]; export function isSensitiveKey(key: string): boolean {