fix(security): improve API key detection patterns to prevent false positives

- Change from substring to pattern-based matching for sensitive keys
- Prevents ANTHROPIC_MAX_TOKENS from being incorrectly censored
- Synchronize backend and UI detection logic for consistency
This commit is contained in:
kaitranntt
2025-12-08 16:32:52 -05:00
parent 639eec7930
commit efb42ba8f6
2 changed files with 20 additions and 3 deletions
+9 -2
View File
@@ -478,10 +478,17 @@ function maskApiKeys(settings: Settings): Settings {
if (!settings.env) return settings;
const masked = { ...settings, env: { ...settings.env } };
const sensitiveKeys = ['ANTHROPIC_AUTH_TOKEN', 'API_KEY', 'AUTH_TOKEN'];
// Pattern-based matching for sensitive keys
const sensitivePatterns = [
/^ANTHROPIC_AUTH_TOKEN$/, // Exact match for Anthropic auth token
/_API_KEY$/, // Keys ending with _API_KEY
/_AUTH_TOKEN$/, // Keys ending with _AUTH_TOKEN
/^API_KEY$/, // Exact match for API_KEY
/^AUTH_TOKEN$/, // Exact match for AUTH_TOKEN
];
for (const key of Object.keys(masked.env)) {
if (sensitiveKeys.some((sensitive) => key.includes(sensitive))) {
if (sensitivePatterns.some((pattern) => pattern.test(key))) {
const value = masked.env[key];
if (value && value.length > 8) {
masked.env[key] =
+11 -1
View File
@@ -145,7 +145,17 @@ function SettingsDialogContent({
};
const isSensitiveKey = (key: string): boolean => {
return key.includes('TOKEN') || key.includes('KEY') || key.includes('SECRET');
// Pattern-based matching for sensitive keys (same as backend)
const sensitivePatterns = [
/^ANTHROPIC_AUTH_TOKEN$/, // Exact match for Anthropic auth token
/_API_KEY$/, // Keys ending with _API_KEY
/_AUTH_TOKEN$/, // Keys ending with _AUTH_TOKEN
/^API_KEY$/, // Exact match for API_KEY
/^AUTH_TOKEN$/, // Exact match for AUTH_TOKEN
/_SECRET$/, // Keys ending with _SECRET
/^SECRET$/, // Exact match for SECRET
];
return sensitivePatterns.some((pattern) => pattern.test(key));
};
return (