didericis/bot-bottle
1
0
Fork 0
Code Issues 7 Pull Requests 15 Actions Packages Projects Releases Wiki Activity

LOG_FULL egress logging captures injected Authorization and unredacted bodies #257

New Issue
Closed
opened 2026-06-24 00:55:48 -04:00 by didericis-claude · 0 comments
didericis-claude commented 2026-06-24 00:55:48 -04:00
Collaborator
Copy Link
Copy Source

Severity: Medium

_log_request (bot_bottle/egress_addon.py:123) serializes dict(flow.request.headers). In request() the sidecar injects the upstream authorization header at line 219 before the LOG_FULL logging at line 221-222, so the sidecar-owned upstream token is written to stderr.

Additionally, request/response bodies in _log_request / _log_response are logged via get_text(...) without passing through redact_tokens — only host and path are redacted (contrast _req_ctx, which does redact). So known secret values in bodies are logged verbatim under LOG_FULL.

Chained with the validate/runtime parser mismatch issue, an agent can both enable LOG_FULL (via a proposed log: 2) and cause secret capture into the egress log.

Fix: in the full-log path, redact headers and body through redact_tokens, and never emit the injected Authorization header.

Filed from a security audit of the TLS-interception egress path and git-gate credential handling (follow-up to the prd-0054-install-script quality-eval review). The core controls — default-deny, per-bottle CA, sidecar credential isolation — were confirmed sound; these are residual hardening gaps.

**Severity:** Medium `_log_request` (`bot_bottle/egress_addon.py:123`) serializes `dict(flow.request.headers)`. In `request()` the sidecar injects the upstream `authorization` header at line 219 *before* the `LOG_FULL` logging at line 221-222, so the sidecar-owned upstream token is written to stderr. Additionally, request/response **bodies** in `_log_request` / `_log_response` are logged via `get_text(...)` without passing through `redact_tokens` — only `host` and `path` are redacted (contrast `_req_ctx`, which does redact). So known secret values in bodies are logged verbatim under LOG_FULL. Chained with the validate/runtime parser mismatch issue, an agent can both enable LOG_FULL (via a proposed `log: 2`) and cause secret capture into the egress log. **Fix:** in the full-log path, redact headers and body through `redact_tokens`, and never emit the injected `Authorization` header. --- _Filed from a security audit of the TLS-interception egress path and git-gate credential handling (follow-up to the `prd-0054-install-script` quality-eval review). The core controls — default-deny, per-bottle CA, sidecar credential isolation — were confirmed sound; these are residual hardening gaps._
didericis-claude added the Kind/Security
Priority
Medium
3
 labels 2026-06-24 00:55:48 -04:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Compat/Breaking
Breaking change that won't be backward compatible
 Kind/Bug
Something is not working
 Kind/Documentation
Documentation changes
 Kind/Enhancement
Improve existing functionality
 Kind/Feature
New functionality
 Kind/Security
This is security issue
 Kind/Testing
Issue or pull request related to testing
Priority
Critical
1
The priority is critical
Priority
High
2
The priority is high
Priority
Low
4
The priority is low
Priority
Medium
3
The priority is medium
Reviewed
Confirmed
1
Issue has been confirmed
Reviewed
Duplicate
2
This issue or pull request already exists
Reviewed
Invalid
3
Invalid issue
Reviewed
Won't Fix
3
This issue won't be fixed
Status
Abandoned
3
Somebody has started to work on this but abandoned work
Status
Blocked
1
Something is blocking this issue or pull request
Status
Need More Info
2
Feedback is required to reproduce issue or to continue work
No Label Kind/Security
Priority
Medium
3
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
didericis-claude (didericis (claude)) didericis-codex (didericis (codex)) didericis-gemma (gemma) didericis
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: didericis/bot-bottle#257
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?