Skip to content

fix: security hardening across auth, API, keychain, and error output#7

Merged
wcole1-godaddy merged 1 commit intomainfrom
fix/security-hardening
Feb 24, 2026
Merged

fix: security hardening across auth, API, keychain, and error output#7
wcole1-godaddy merged 1 commit intomainfrom
fix/security-hardening

Conversation

@wcole1-godaddy
Copy link
Contributor

@wcole1-godaddy wcole1-godaddy commented Feb 24, 2026

Security Hardening

Addresses 8 findings from a security audit of the CLI. 2 high, 4 medium, 2 low severity.

High

  • SEC-01: OAuth callback server now binds to 127.0.0.1 instead of 0.0.0.0, preventing LAN-based auth code interception
  • SEC-02: --debug output now sanitizes response headers, redacting Set-Cookie, Authorization, and other sensitive headers

Medium

  • SEC-03: --include flag now sanitizes response headers before writing them into the JSON envelope on stdout
  • SEC-04: OAuth error callback page now HTML-escapes error messages, preventing reflected XSS
  • SEC-05: Windows PowerShell keychain escaping hardened — strips NUL bytes, rejects newlines, validates all 4 methods (set/get/delete/find)
  • SEC-06: Raw server error payloads no longer forwarded into userMessage fields in JSON envelopes. Affects applications.ts (9 GraphQL catch sites) and webhook-events.ts

Low

  • SEC-07: --debug output now redacts sensitive fields (token, secret, password, credential) in request bodies
  • SEC-10: OAuth callback server now auto-closes after 120 seconds if the user never completes the browser flow

Not code changes

  • SEC-08 (env var redirect) and SEC-09 (-F file read) are by-design behaviors, documented only

Files changed

  • src/core/auth.ts — SEC-01, SEC-04, SEC-10
  • src/core/api.ts — SEC-02, SEC-03, SEC-06, SEC-07
  • src/cli/commands/api.ts — SEC-03
  • src/effect/layers/keychain-native.ts — SEC-05
  • src/services/applications.ts — SEC-06
  • src/services/webhook-events.ts — SEC-06

Testing

  • TypeScript: tsc --noEmit passes
  • Build: pnpm run build passes
  • Unit tests: 653/654 pass (1 flaky perf test pre-existing)
  • CLI smoke: all commands produce correct JSON envelopes

@wcole1-godaddy
fix: security hardening across auth, API, keychain, and error output
c27dcbd 
SEC-01: Bind OAuth callback server to 127.0.0.1 instead of 0.0.0.0
SEC-02: Sanitize response headers in --debug output (redact cookies, tokens)
SEC-03: Sanitize response headers in --include JSON envelope
SEC-04: HTML-escape error messages in OAuth callback page (XSS)
SEC-05: Harden PowerShell escaping (strip NUL, reject newlines in all methods)
SEC-06: Stop forwarding raw server error payloads into userMessage fields
SEC-07: Redact sensitive fields (token, secret, password) in debug request body
SEC-10: Add 120s timeout to OAuth server to prevent indefinite hang
@wcole1-godaddy wcole1-godaddy merged commit 1e613c3 into main Feb 24, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wcole1-godaddy