Skip to content

Redact sensitive headers from HTTP debug output#1015

Open
jnunemaker wants to merge 1 commit into
mainfrom
redact-cloud-token-debug-output
Open

Redact sensitive headers from HTTP debug output#1015
jnunemaker wants to merge 1 commit into
mainfrom
redact-cloud-token-debug-output

Conversation

@jnunemaker

Copy link
Copy Markdown
Collaborator

Problem

Enabling FLIPPER_CLOUD_DEBUG_OUTPUT_STDOUT (or passing debug_output:) handed the raw stream straight to Net::HTTP#set_debug_output, which dumps the full request — including the flipper-cloud-token bearer credential and HTTP Basic Authorization header — in cleartext to STDOUT/logs, leaking the token to centralized logging.

Fix

Wrap the debug stream in a new Flipper::Adapters::Http::RedactedDebugOutput, which replaces the values of sensitive headers (flipper-cloud-token, authorization) with [REDACTED] before they reach the underlying stream, leaving header names and all other output intact. Wrapping happens at the HTTP client (client.rb:95) so every consumer benefits, not just cloud, and .wrap is a no-op on nil and won't double-wrap. Covered by a new unit spec plus an updated http adapter spec; all 119 http adapter examples pass.

🤖 Generated with Claude Code

Enabling debug output (FLIPPER_CLOUD_DEBUG_OUTPUT_STDOUT or debug_output:)
handed the raw stream to Net::HTTP#set_debug_output, which dumps every request
header — including the flipper-cloud-token bearer credential and HTTP Basic
Authorization — in cleartext to STDOUT/logs.

Wrap the debug stream in RedactedDebugOutput, which replaces the values of
sensitive headers with [REDACTED] before they reach the underlying stream.
Wrapping happens in the HTTP client so every consumer is protected, not just
cloud.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant