π‘οΈ Sentinel: [HIGH] Fix clap environment variable secret leakage#163
Conversation
Co-authored-by: ffalcinelli <1167082+ffalcinelli@users.noreply.github.com>
|
π Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a π emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
Codecov Reportβ
All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #163 +/- ##
=======================================
Coverage 95.86% 95.86%
=======================================
Files 28 28
Lines 2345 2345
=======================================
Hits 2248 2248
Misses 97 97 β View full report in Codecov by Harness. π New features to boost your workflow:
|
Co-authored-by: ffalcinelli <1167082+ffalcinelli@users.noreply.github.com>
Co-authored-by: ffalcinelli <1167082+ffalcinelli@users.noreply.github.com>
Co-authored-by: ffalcinelli <1167082+ffalcinelli@users.noreply.github.com>
Co-authored-by: ffalcinelli <1167082+ffalcinelli@users.noreply.github.com>
π¨ Severity: HIGH
π‘ Vulnerability: The CLI was configured to read sensitive environment variables (
KEYCLOAK_PASSWORD,KEYCLOAK_CLIENT_SECRET,VAULT_TOKEN) usingclap'senv = "..."attribute (or manually parsing them afterclapignored them). By default, ifclapsees anenvattribute, runningkaji --helpprints the current value of that environment variable in plaintext to the terminal (e.g.,[env: KEYCLOAK_PASSWORD=my_top_secret_password]).π― Impact: Exposes credentials to terminal scrollbacks, CI/CD pipeline logs, and screen sharing if a user simply runs
--helpwhile authenticated.π§ Fix: Applied the
hide_env_values = trueattribute topassword,client_secret, andvault_tokeninsrc/args.rs. Refactoredpasswordandclient_secretto be natively parsed byclaprather than manually inmain.rs, standardizing secret handling and securing all inputs.β Verification: Ran
KEYCLOAK_PASSWORD=topsecret cargo run -- --helpand verified the output now shows[env: KEYCLOAK_PASSWORD]without exposing the value. Cargo test suite passes.PR created automatically by Jules for task 17409470417566086816 started by @ffalcinelli