Redact sensitive headers from HTTP debug output#1015
Open
jnunemaker wants to merge 1 commit into
Open
Conversation
Enabling debug output (FLIPPER_CLOUD_DEBUG_OUTPUT_STDOUT or debug_output:) handed the raw stream to Net::HTTP#set_debug_output, which dumps every request header — including the flipper-cloud-token bearer credential and HTTP Basic Authorization — in cleartext to STDOUT/logs. Wrap the debug stream in RedactedDebugOutput, which replaces the values of sensitive headers with [REDACTED] before they reach the underlying stream. Wrapping happens in the HTTP client so every consumer is protected, not just cloud. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Enabling
FLIPPER_CLOUD_DEBUG_OUTPUT_STDOUT(or passingdebug_output:) handed the raw stream straight toNet::HTTP#set_debug_output, which dumps the full request — including theflipper-cloud-tokenbearer credential and HTTP BasicAuthorizationheader — in cleartext to STDOUT/logs, leaking the token to centralized logging.Fix
Wrap the debug stream in a new
Flipper::Adapters::Http::RedactedDebugOutput, which replaces the values of sensitive headers (flipper-cloud-token,authorization) with[REDACTED]before they reach the underlying stream, leaving header names and all other output intact. Wrapping happens at the HTTP client (client.rb:95) so every consumer benefits, not just cloud, and.wrapis a no-op onniland won't double-wrap. Covered by a new unit spec plus an updated http adapter spec; all 119 http adapter examples pass.🤖 Generated with Claude Code