diff --git a/.changeset/security-redact-cookies-in-logs.md b/.changeset/security-redact-cookies-in-logs.md new file mode 100644 index 00000000000..e2f1096fb97 --- /dev/null +++ b/.changeset/security-redact-cookies-in-logs.md @@ -0,0 +1,5 @@ +--- +'@shopify/cli-kit': patch +--- + +Redact Cookie and Set-Cookie headers from debug logs to prevent sensitive session data leakage. diff --git a/packages/cli-kit/src/private/node/api/headers.test.ts b/packages/cli-kit/src/private/node/api/headers.test.ts index 13441e6a5a0..7318bf3c791 100644 --- a/packages/cli-kit/src/private/node/api/headers.test.ts +++ b/packages/cli-kit/src/private/node/api/headers.test.ts @@ -97,6 +97,25 @@ describe('common API methods', () => { - Content-Type: application/json" `) }) + + test('sanitizedHeadersOutput removes the headers that include cookies', () => { + // Given + const headers = { + 'User-Agent': 'useragent', + Cookie: 'session=abc', + 'Set-Cookie': 'session=def', + 'content-type': 'application/json', + } + + // When + const got = sanitizedHeadersOutput(headers) + + // Then + expect(got).toMatchInlineSnapshot(` + " - User-Agent: useragent + - content-type: application/json" + `) + }) }) describe('GraphQLClientError', () => { diff --git a/packages/cli-kit/src/private/node/api/headers.ts b/packages/cli-kit/src/private/node/api/headers.ts index 691505dc9e8..37145ac9c8a 100644 --- a/packages/cli-kit/src/private/node/api/headers.ts +++ b/packages/cli-kit/src/private/node/api/headers.ts @@ -33,7 +33,7 @@ export class GraphQLClientError extends RequestClientError { */ export function sanitizedHeadersOutput(headers: Record): string { const sanitized: Record = {} - const keywords = ['token', 'authorization', 'subject_token'] + const keywords = ['token', 'authorization', 'subject_token', 'cookie'] Object.keys(headers).forEach((header) => { if (keywords.find((keyword) => header.toLocaleLowerCase().includes(keyword)) === undefined) { sanitized[header] = headers[header]!