fix: apply redaction before SSE broadcast in _execute_command #1678
Open
ionfwsrijan wants to merge 8 commits into
Open
fix: apply redaction before SSE broadcast in _execute_command #1678ionfwsrijan wants to merge 8 commits into
ionfwsrijan wants to merge 8 commits into
Conversation
…#1624) - Redact each decoded line before appending to output_lines and before broadcasting to SSE stream listeners - Add test_execute_command_redacts_secrets_before_broadcast to verify that known secret patterns are redacted from stream events - The raw_output_path file redaction (line 599) remains as defense-in-depth
… -> _stderr_diagnostic, Template.safe_substitute)
Contributor
Author
|
@utksh1 Please review this. The failing check is pre-exisiting |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The task output streaming endpoint broadcasts scanner output via SSE before the
redact()function is applied, exposing API keys, passwords, tokens, and private keys to authorized clients viewing live output.Changes
backend/secuscan/executor.py:_execute_command()— Applyredact()to each decoded line before appending it to the output buffer and before broadcasting via SSE. This ensures the live stream and in-memory buffer only contain redacted content.testing/backend/unit/test_executor.py— Addtest_execute_command_redacts_secrets_before_broadcastto verify known secret patterns (Bearer tokens, API keys) are redacted from SSE events.redact()call at line 599 (file write) is retained as defense-in-depth —redact()is idempotent.Impact
output_linesin-memory buffer now contains only redacted contentFiles Changed
backend/secuscan/executor.py— 3 lines changed (redact before broadcast/append)testing/backend/unit/test_executor.py— New test addedCloses #1624