Skip to content

πŸ”’οΈ fix: redact Authorization header in debug transport output#46

Merged
kwent merged 2 commits into
masterfrom
features/security-audit
Jul 15, 2026
Merged

πŸ”’οΈ fix: redact Authorization header in debug transport output#46
kwent merged 2 commits into
masterfrom
features/security-audit

Conversation

@kwent

@kwent kwent commented Jul 15, 2026

Copy link
Copy Markdown
Member

Summary

  • Security audit found that --debug mode dumps raw Authorization: Bearer <token> to stderr via httputil.DumpRequestOut, leaking API keys and OAuth tokens in CI logs and log aggregation systems.
  • Fix clones the request before dumping and replaces the auth header with Bearer [REDACTED]. The real token is still sent to the server unchanged.
  • Adds 3 regression tests covering redaction, preserved auth on the wire, and no-auth-header behavior.

Test plan

  • TestDebugTransportRedactsAuthorization β€” raw token absent, [REDACTED] present in stderr
  • TestDebugTransportPreservesActualAuthHeader β€” server receives real token
  • TestDebugTransportNoAuthHeader β€” no spurious redaction without auth header
  • Full test suite passes (486 tests)

Debug mode (`--debug` / `ROOTLY_DEBUG`) was dumping full HTTP requests
including the raw Authorization header (API key or OAuth token) to
stderr. In CI pipelines and log aggregation systems this exposes
credentials in plaintext.

Clones the request before dumping and replaces the Authorization value
with `Bearer [REDACTED]`. The original request with the real token is
still sent to the server unchanged.

Adds 3 regression tests:
- Redaction appears in debug output
- Real token still reaches the server
- No spurious redaction when no auth header present

πŸ€– Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@greptile-apps

greptile-apps Bot commented Jul 15, 2026

Copy link
Copy Markdown

Greptile Summary

This PR redacts Authorization values from debug HTTP request output. The main changes are:

  • Clone requests before creating debug output.
  • Replace the logged Authorization value with Bearer [REDACTED].
  • Avoid reading the original request body during logging.
  • Add tests for redaction, wire behavior, and missing headers.

Confidence Score: 5/5

This looks safe to merge.

  • No blocking issues found in the changed code.

Important Files Changed

Filename Overview
internal/api/client.go Debug logging now uses a cloned request with a redacted Authorization header and no body.
internal/api/client_test.go Tests cover redaction in debug output, unchanged outgoing authorization, and requests without authorization.

Reviews (2): Last reviewed commit: "πŸ› fix: prevent body consumption and fix..." | Re-trigger Greptile

Comment thread internal/api/client.go Outdated
Address Greptile review feedback: DumpRequestOut with body=true was
consuming the shared request body via Clone's shallow copy, causing
POST/PUT/PATCH requests to arrive empty at the server. Now dumps
headers only (body=false) with http.NoBody on the clone.

Also fix lint: close response bodies, use http.NoBody, use
NewRequestWithContext in tests.

πŸ€– Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@kwent

kwent commented Jul 15, 2026

Copy link
Copy Markdown
Member Author

@greptileai

@kwent
kwent merged commit a7c2673 into master Jul 15, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant