🛡️ Sentinel: [MEDIUM] Fix sensitive credentials exposure by using password fields#80
🛡️ Sentinel: [MEDIUM] Fix sensitive credentials exposure by using password fields#80bobdivx wants to merge 1 commit into
Conversation
…sword fields - Changed TMDB API key input fields to `type="password"` with `autoComplete="off"`. - Changed Tracker Passkeys and custom Indexer API keys to `type="password"` with `autoComplete="off"`. - Recorded security learning in `.jules/sentinel.md`. Co-authored-by: bobdivx <6737167+bobdivx@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request enhances security by converting sensitive input fields, such as TMDB API keys and tracker passkeys, from plain text to password types and adding autocomplete prevention across multiple components. It also updates the security log to document this change. Feedback focuses on maintaining the reverse chronological order of the security log and improving the autocomplete configuration by using "new-password" and adding descriptive name attributes to help browsers correctly handle these fields.
| **Learning:** `Math.random()` is not cryptographically secure and shouldn't be used for IDs, especially not for indexer setups and device IDs. Moreover, calling `globalThis.crypto.randomUUID()` directly fails on HTTP non-localhost sites since it requires a Secure Context. | ||
| **Prevention:** Always use the Web Crypto API (`crypto.getRandomValues()` or `crypto.randomUUID()`) through a centralized utility like `src/lib/utils/uuid.ts` that provides safe fallbacks for unsupported environments and non-secure contexts. | ||
|
|
||
| ## 2025-02-14 - Use Password Fields for Sensitive Inputs |
There was a problem hiding this comment.
The new entry for 2025-02-14 is added at the end of the file, which breaks the reverse chronological order established by the previous entries (starting with 2025-02-27). For better maintainability and readability of the security log, entries should be kept in descending chronological order.
| type="password" | ||
| autoComplete="off" |
There was a problem hiding this comment.
Using autoComplete="new-password" is generally more effective than "off" for sensitive fields like API keys. It explicitly signals to modern browsers and password managers that they should not attempt to autofill the user's site password into this field, nor should they offer to save the API key as the site's password. Additionally, adding a name attribute helps browsers correctly identify the field's purpose.
| type="password" | |
| autoComplete="off" | |
| type="password" | |
| autoComplete="new-password" | |
| name="tmdb_api_key" |
1 participant
🚨 Severity: MEDIUM
💡 Vulnerability: Sensitive credentials like TMDB API keys, Tracker Passkeys, and custom Indexer API keys were exposed in the UI through standard
<input type="text">fields. This exposed credentials to shoulder-surfing, screen sharing, and browser autocomplete mechanisms.🎯 Impact: An attacker with physical access or a malicious entity observing a screen share could capture these credentials. Furthermore, browsers might inadvertently cache or sync these secrets via their autocomplete features.
🔧 Fix: Updated the input fields for these sensitive credentials in
TmdbConfig.tsx,TmdbStep.tsx,UploadTrackerPanel.tsx,UploadTrackersManagerPanel.tsx, andUploadAssistantPanel.tsxto usetype="password"combined withautoComplete="off".✅ Verification: Ran
pnpm testandpnpm buildto ensure the changes did not cause regressions, which all passed successfully. The changes were also verified by reading the updated source files.Recorded the finding in
.jules/sentinel.mdas required.PR created automatically by Jules for task 11999556888527800874 started by @bobdivx