wylab/claude-hub
1
0
Fork 0
forked from claude-did-this/claude-hub
Code Issues 1 Pull Requests Activity
Files
fc567071dde63ddd42baa5489042a8aba8c6529e
claude-hub/docs/credential-security.md
Jonathan Flatt fc567071dd Initial commit
2025-05-20 17:01:59 +00:00

2.2 KiB
Raw Blame History

Credential Security Implementation

This document describes the security measures implemented to prevent credential leaks in webhook responses.

Overview

The webhook service handles sensitive credentials including:

  • GitHub tokens (GITHUB_TOKEN)
  • AWS access keys (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
  • Other environment variables

Security Measures Implemented

1. Docker Command Sanitization

In src/services/claudeService.js:

  • Docker commands are sanitized before logging
  • Sensitive environment variables are replaced with [REDACTED]
  • Sanitized commands are used in all error messages
const sanitizedCommand = dockerCommand.replace(/-e [A-Z_]+=\"[^\"]*\"/g, (match) => {
  const envKey = match.match(/-e ([A-Z_]+)=\"/)[1];
  const sensitiveKeys = ['GITHUB_TOKEN', 'AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY'];
  if (sensitiveKeys.includes(envKey)) {
    return `-e ${envKey}="[REDACTED]"`;
  }
  return match;
});

2. Output Sanitization

  • stderr and stdout are sanitized to remove any credential values
  • All occurrences of sensitive values are replaced with [REDACTED]
  • Sanitized output is used in error messages and logs

3. Logger Redaction

In src/utils/logger.js:

  • Pino logger configured with comprehensive redaction paths
  • Automatically redacts sensitive fields in log output
  • Covers nested objects and various field patterns

4. Error Response Sanitization

In src/controllers/githubController.js:

  • Only error messages (not full stack traces) are sent to GitHub
  • No raw stderr/stdout is exposed in webhook responses
  • Generic error messages for internal server errors

Testing

Several test scripts verify the security implementation:

  • test/test-credential-leak.js - Tests sanitization logic
  • test/test-webhook-credentials.js - Tests webhook behavior
  • test/test-logger-redaction.js - Tests logger redaction

Best Practices

  1. Never log raw Docker commands with environment variables
  2. Always sanitize error output before sending to external services
  3. Use the logger's built-in redaction for all sensitive fields
  4. Test credential handling with mock values regularly
  5. Review error messages to ensure no sensitive data is exposed
Reference in New Issue View Git Blame Copy Permalink