Skip to content

Potential fix for code scanning alert no. 3: Clear-text logging of sensitive information #146

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
utkarsh232005 merged 1 commit into from
Jun 8, 2026
+3 −6
Merged

Potential fix for code scanning alert no. 3: Clear-text logging of sensitive information #146

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 3 additions & 6 deletions src/commands/auth.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,15 +67,12 @@ const parseCustomHeaders = (headers: string[]): Record<string, string> => {
};

/**
* Masks secrets/API keys to avoid leaking them in plain text display.
* Returns a non-sensitive credential status for display.
* @param provider The AI provider configuration.
* @returns Masked representation.
* @returns '(set)' when a password exists, otherwise '(not set)'.
*/
const getMaskedSecret = (provider: AIProviderConfig): string => {
const secret = provider.password;
if (!secret) return '(not set)';
if (secret.length <= 8) return '********';
return `${secret.substring(0, 4)}...${secret.substring(secret.length - 4)}`;
return provider.password ? '(set)' : '(not set)';
};
Comment on lines 69 to 76

@coderabbitai coderabbitai Bot Jun 8, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Find test assertions that expect the old masked secret format

# Search for test files asserting on masked credential patterns
rg -n -C3 --type=ts --glob='**/*test*' -e 'supe.*ikey|stringContaining.*\.\.\.' -e 'getMaskedSecret' -e 'auth.*list'

Repository: KDM-cli/kdm-cli

Length of output: 1057

Update auth list test expectations for credential status output.
src/__tests__/auth.test.ts currently asserts expect(...).toHaveBeenCalledWith(...'supe...ikey'), but getMaskedSecret now returns '(set)' when provider.password exists (and '(not set)' otherwise). Change the assertion to expect '(set)' to match the new output format.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/commands/auth.ts` around lines 69 - 76, Update the test in
src/__tests__/auth.test.ts to match the new output of getMaskedSecret: replace
the expectation that checks for the obfuscated key string (e.g., 'supe...ikey')
with the literal '(set)' when provider.password is present; locate the assertion
referencing auth list output and change its expected value to '(set)' so it
aligns with the getMaskedSecret(provider: AIProviderConfig) implementation.


/**
Expand Down
Loading