Skip to content

[Security] config output reveals full short API keys #203

Description

@404-Page-Found

Description

maskApiKey() is intended to hide secrets, but for short keys it reveals the entire value before adding dots.

Location

  • src/commands/config.ts:97
  • src/commands/config.ts:104

Problematic code

const visibleLength = Math.min(4, Math.max(2, apiKey.length));
return `${apiKey.slice(0, visibleLength)}••••`;

Suggested fix

Cap the visible prefix independently from the key length so very short keys are still partially masked. Adding or expanding tests around short inputs would help too.

Impact

Test keys and local dev tokens with only a few characters can be fully exposed in CLI output and JSON output.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    Fields

    No fields configured for Task.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions