Skip to content

fix: apply redaction before SSE broadcast in _execute_command #1678

Open
ionfwsrijan wants to merge 8 commits into
utksh1:mainfrom
ionfwsrijan:fix/1624-sse-unredacted-secrets
Open

fix: apply redaction before SSE broadcast in _execute_command #1678
ionfwsrijan wants to merge 8 commits into
utksh1:mainfrom
ionfwsrijan:fix/1624-sse-unredacted-secrets

Conversation

@ionfwsrijan

Copy link
Copy Markdown
Contributor

Description

The task output streaming endpoint broadcasts scanner output via SSE before the redact() function is applied, exposing API keys, passwords, tokens, and private keys to authorized clients viewing live output.

Changes

  1. backend/secuscan/executor.py:_execute_command() — Apply redact() to each decoded line before appending it to the output buffer and before broadcasting via SSE. This ensures the live stream and in-memory buffer only contain redacted content.
  2. testing/backend/unit/test_executor.py — Add test_execute_command_redacts_secrets_before_broadcast to verify known secret patterns (Bearer tokens, API keys) are redacted from SSE events.
  3. The existing redact() call at line 599 (file write) is retained as defense-in-depth — redact() is idempotent.

Impact

  • Authorized clients viewing live task output via SSE no longer see unredacted secrets
  • The output_lines in-memory buffer now contains only redacted content
  • The result API endpoint (reads from file which was already redacted) remains safe

Files Changed

  • backend/secuscan/executor.py — 3 lines changed (redact before broadcast/append)
  • testing/backend/unit/test_executor.py — New test added

Closes #1624

…#1624)

- Redact each decoded line before appending to output_lines and before
  broadcasting to SSE stream listeners
- Add test_execute_command_redacts_secrets_before_broadcast to verify
  that known secret patterns are redacted from stream events
- The raw_output_path file redaction (line 599) remains as defense-in-depth
… -> _stderr_diagnostic, Template.safe_substitute)
@ionfwsrijan

Copy link
Copy Markdown
Contributor Author

@utksh1 Please review this. The failing check is pre-exisiting

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] SSE Live Output Stream Exposes Unredacted Secrets to Authorized Clients

1 participant