Skip to content

πŸ›‘οΈ Sentinel: [HIGH] Fix clap environment variable secret leakage#163

Merged
ffalcinelli merged 6 commits into
mainfrom
sentinel-clap-secret-leak-17409470417566086816
Jul 12, 2026
Merged

πŸ›‘οΈ Sentinel: [HIGH] Fix clap environment variable secret leakage#163
ffalcinelli merged 6 commits into
mainfrom
sentinel-clap-secret-leak-17409470417566086816

Conversation

@ffalcinelli

Copy link
Copy Markdown
Owner

🚨 Severity: HIGH
πŸ’‘ Vulnerability: The CLI was configured to read sensitive environment variables (KEYCLOAK_PASSWORD, KEYCLOAK_CLIENT_SECRET, VAULT_TOKEN) using clap's env = "..." attribute (or manually parsing them after clap ignored them). By default, if clap sees an env attribute, running kaji --help prints the current value of that environment variable in plaintext to the terminal (e.g., [env: KEYCLOAK_PASSWORD=my_top_secret_password]).
🎯 Impact: Exposes credentials to terminal scrollbacks, CI/CD pipeline logs, and screen sharing if a user simply runs --help while authenticated.
πŸ”§ Fix: Applied the hide_env_values = true attribute to password, client_secret, and vault_token in src/args.rs. Refactored password and client_secret to be natively parsed by clap rather than manually in main.rs, standardizing secret handling and securing all inputs.
βœ… Verification: Ran KEYCLOAK_PASSWORD=topsecret cargo run -- --help and verified the output now shows [env: KEYCLOAK_PASSWORD] without exposing the value. Cargo test suite passes.


PR created automatically by Jules for task 17409470417566086816 started by @ffalcinelli

Co-authored-by: ffalcinelli <1167082+ffalcinelli@users.noreply.github.com>
@google-labs-jules

Copy link
Copy Markdown
Contributor

πŸ‘‹ Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a πŸ‘€ emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.


For security, I will only act on instructions from the user who triggered this task.

@codecov

codecov Bot commented Jul 11, 2026

Copy link
Copy Markdown

Codecov Report

βœ… All modified and coverable lines are covered by tests.
βœ… Project coverage is 95.86%. Comparing base (7a12297) to head (7c70438).

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #163   +/-   ##
=======================================
  Coverage   95.86%   95.86%           
=======================================
  Files          28       28           
  Lines        2345     2345           
=======================================
  Hits         2248     2248           
  Misses         97       97           

β˜” View full report in Codecov by Harness.
πŸ“’ Have feedback on the report? Share it here.

πŸš€ New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

google-labs-jules Bot and others added 5 commits July 11, 2026 16:39
Co-authored-by: ffalcinelli <1167082+ffalcinelli@users.noreply.github.com>
Co-authored-by: ffalcinelli <1167082+ffalcinelli@users.noreply.github.com>
Co-authored-by: ffalcinelli <1167082+ffalcinelli@users.noreply.github.com>
Co-authored-by: ffalcinelli <1167082+ffalcinelli@users.noreply.github.com>
@ffalcinelli ffalcinelli merged commit e91110c into main Jul 12, 2026
10 checks passed
@ffalcinelli ffalcinelli deleted the sentinel-clap-secret-leak-17409470417566086816 branch July 12, 2026 13:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant