fix(stack): redact env in PATCH /stacks/:slug/env response + panic-safe audit#217
Merged
Merged
Conversation
…fe audit Two bug-bash (2026-06-02) findings on the stack env-update handler: - The response echoed the full merged env map verbatim (`"env": merged`), unlike DeployHandler.UpdateEnv which redacts the same shape. A PATCH setting one harmless key returns ALL previously-set values — including credential URLs and secret-keyed values carried over in stacks.env_vars — in cleartext into proxy logs / browser panels / agent transcripts. Now returns redactEnvVars(merged) (stored value stays unredacted; only the response is masked). - The audit-emit goroutine was a bare `go func` with no panic recovery; switch to safego.Go to match runStackDeploy/runStackRedeploy. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Update TestStack_PatchEnv_PersistsAndReturns to expect the response to mask DATABASE_URL to "***" (key contains "URL") while NODE_ENV passes through — matching the bug-bash #1 redaction fix. The DB round-trip assertions still verify the STORED value is the unredacted "postgres://example". Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two bug-bash (2026-06-02) findings on the stack env handler.
P1 — secret leak in response:
PATCH /stacks/:slug/envechoed the full merged env map verbatim, unlikeDeployHandler.UpdateEnvwhich redacts. Setting one harmless key returned ALL prior values (credential URLs, secret-keyed values fromstacks.env_vars) in cleartext into logs/transcripts. NowredactEnvVars(merged)— stored value stays unredacted, only the response is masked.P2 — unrecovered goroutine: the audit-emit
go funchad no panic recovery; switched tosafego.Go.Local: build + vet clean. 🤖 Generated with Claude Code