Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .jules/sentinel.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,3 +39,8 @@
**Vulnerability:** The `filterSensitiveFields` function in `src/providers/index.ts` used a manual recursive loop to drop sensitive keys, but it failed to recurse into arrays. If a configuration object contained an array with sensitive nested objects, those secrets would be leaked in debug logs.
**Learning:** Manual object traversal for redaction is prone to edge cases (like arrays or circular references).
**Prevention:** Use a custom replacer function with `JSON.stringify` to safely and completely redact sensitive fields across all nested structures.

## 2026-03-12 - Secret Leakage of Common Web Authentication Tokens
**Vulnerability:** The `isSensitiveKey` function missed common credential identifiers like `bearer`, `session`, `jwt`, and `cookie`. These are frequently used in headers and objects, leading to plaintext exposure in logs.
**Learning:** Hardcoded sensitive key patterns need to account for diverse authentication mechanisms, not just generic "key" or "secret" terms.
**Prevention:** Include a comprehensive set of common credential token names (`bearer`, `session`, `jwt`, `cookie`) in the `SENSITIVE_KEY_PATTERNS` array.
4 changes: 4 additions & 0 deletions src/sensitive.ts
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ const SENSITIVE_KEY_PATTERNS = [
"auth",
"credential",
"authorization",
"bearer",
"session",
"jwt",
"cookie",
];

export function isSensitiveKey(key: string): boolean {
Expand Down