Skip to content

🛡️ Sentinel: [HIGH] Fix DSN credential leak via urlsplit bypass#573

Open
seonghobae wants to merge 4 commits into
mainfrom
sentinel-dsn-urlsplit-fix-16334902666858344870
Open

🛡️ Sentinel: [HIGH] Fix DSN credential leak via urlsplit bypass#573
seonghobae wants to merge 4 commits into
mainfrom
sentinel-dsn-urlsplit-fix-16334902666858344870

Conversation

@seonghobae

Copy link
Copy Markdown
Collaborator

🛡️ Sentinel: [HIGH] Fix DSN credential leak via urlsplit bypass

🚨 Severity: HIGH
💡 Vulnerability: urllib.parse.urlsplit failed to parse netloc for malformed DSNs (e.g. missing ://), placing credentials in the path. This allowed passwords in these specific connection strings to bypass the backend's redaction logic and potentially leak into error messages.
🎯 Impact: Passwords could be exposed in user-facing error messages or backend logs if an invalid or obscurely-formatted DSN was provided.
🔧 Fix: Enhanced _password_candidates_from_dsn to detect when urlsplit fails to extract netloc. It now falls back to splitting on : and injecting a http:// scheme to ensure secrets are correctly parsed and masked. Added a test case.
✅ Verification: Ran pytest tests/test_dsn_redaction.py to confirm the new test_redacts_dsn_without_slashes test passes and 100% test coverage is maintained.


PR created automatically by Jules for task 16334902666858344870 started by @seonghobae

🚨 Severity: HIGH
💡 Vulnerability: `urllib.parse.urlsplit` failed to parse `netloc` for malformed DSNs (e.g. missing `://`), placing credentials in the `path`. This allowed passwords in these specific connection strings to bypass the backend's redaction logic and potentially leak into error messages.
🎯 Impact: Passwords could be exposed in user-facing error messages or backend logs if an invalid or obscurely-formatted DSN was provided.
🔧 Fix: Enhanced `_password_candidates_from_dsn` to detect when `urlsplit` fails to extract `netloc`. It now falls back to splitting on `:` and injecting a `http://` scheme to ensure secrets are correctly parsed and masked. Added a test case.
✅ Verification: Ran `pytest tests/test_dsn_redaction.py` to confirm the new `test_redacts_dsn_without_slashes` test passes and 100% test coverage is maintained.
@google-labs-jules

Copy link
Copy Markdown

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.


For security, I will only act on instructions from the user who triggered this task.

🚨 Severity: HIGH
💡 Vulnerability: `urllib.parse.urlsplit` failed to parse `netloc` for malformed DSNs (e.g. missing `://`), placing credentials in the `path`. This allowed passwords in these specific connection strings to bypass the backend's redaction logic and potentially leak into error messages.
🎯 Impact: Passwords could be exposed in user-facing error messages or backend logs if an invalid or obscurely-formatted DSN was provided.
🔧 Fix: Enhanced `_password_candidates_from_dsn` to detect when `urlsplit` fails to extract `netloc`. It now falls back to splitting on `:` and injecting a `http://` scheme to ensure secrets are correctly parsed and masked. Added a test case.
✅ Verification: Ran `pytest tests/test_dsn_redaction.py` to confirm the new `test_redacts_dsn_without_slashes` test passes and 100% test coverage is maintained.
🚨 Severity: HIGH
💡 Vulnerability: `urllib.parse.urlsplit` 함수가 `://`가 없거나(ex. postgres:user:pass@host) 언더스코어가 포함된 비표준 DSN 문자열을 처리할 때, 인증 정보를 `netloc`이 아닌 `path`로 파싱하는 문제가 있었습니다. 이로 인해 해당 문자열들이 백엔드 DSN 마스킹(redaction) 로직을 우회하여 사용자 에러 메시지나 로그에 비밀번호가 노출될 위험이 존재했습니다.
🎯 Impact: 잘못된 형식의 DSN 연결 시도 시, 비밀번호 등 민감한 인증 정보가 로그나 에러 응답을 통해 유출될 수 있었습니다.
🔧 Fix: `backend/app/dsn_redaction.py`의 `_password_candidates_from_dsn` 함수에 폴백(fallback) 로직을 추가했습니다. `urlsplit`이 `netloc`을 파싱하지 못한 경우, `:`을 기준으로 문자열을 분리하고 임의의 `http://` 스키마를 주입하여 인증 정보를 올바르게 추출 및 마스킹하도록 수정했습니다.
✅ Verification: `pytest tests/test_dsn_redaction.py`를 실행하여 100% 테스트 커버리지를 통과함을 확인했습니다. CHANGELOG를 한국어로 갱신했습니다.
🚨 Severity: HIGH
💡 Vulnerability: `urllib.parse.urlsplit` 함수가 `://`가 없거나(ex. postgres:user:pass@host) 언더스코어가 포함된 비표준 DSN 문자열을 처리할 때, 인증 정보를 `netloc`이 아닌 `path`로 파싱하는 문제가 있었습니다. 이로 인해 해당 문자열들이 백엔드 DSN 마스킹(redaction) 로직을 우회하여 사용자 에러 메시지나 로그에 비밀번호가 노출될 위험이 존재했습니다.
🎯 Impact: 잘못된 형식의 DSN 연결 시도 시, 비밀번호 등 민감한 인증 정보가 로그나 에러 응답을 통해 유출될 수 있었습니다.
🔧 Fix: `backend/app/dsn_redaction.py`의 `_password_candidates_from_dsn` 함수에 폴백(fallback) 로직을 추가했습니다. `urlsplit`이 `netloc`을 파싱하지 못한 경우, `:`을 기준으로 문자열을 분리하고 임의의 `http://` 스키마를 주입하여 인증 정보를 올바르게 추출 및 마스킹하도록 수정했습니다.
✅ Verification: `pytest tests/test_dsn_redaction.py`를 실행하여 100% 테스트 커버리지를 통과함을 확인했습니다. CHANGELOG를 한국어로 갱신했습니다.

@opencode-agent opencode-agent Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

OpenCode could not approve from deterministic current-head evidence because GitHub Checks have failed.

Findings

1. HIGH Current-head GitHub Checks - Fix failed required checks before approval

  • Problem: Failed same-head checks remain for 820caedc000e81e3d64c147f94116e3f4915b43c.
  • Root cause: The model-unavailable evidence fallback is allowed only when peer GitHub Checks are complete and clean.
  • Fix: Read and fix the failed check logs below, then rerun the current-head checks.
  • Regression test: Keep the model-unavailable fallback gated on an empty failed-check rollup.

Failed checks:

Changed-File Evidence Map

flowchart LR
  PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
  Evidence --> S1["Changed file (2 files)"]
  S1 --> I1["repository behavior"]
  I1 --> R1["Review risk: Changed file (2 files)"]
  R1 --> V1["required checks"]
  Evidence --> S2["Backend (3 files)"]
  S2 --> I2["API and service runtime"]
  I2 --> R2["Review risk: Backend (3 files)"]
  R2 --> V2["backend tests"]
Loading

@opencode-agent

Copy link
Copy Markdown
Contributor

OpenCode Review Overview

  • Head SHA: 820caedc000e81e3d64c147f94116e3f4915b43c
  • Workflow run: 29458200835
  • Workflow attempt: 1
  • Gate result: REQUEST_CHANGES (approval step)

Pull request overview

OpenCode could not approve from deterministic current-head evidence because GitHub Checks have failed.

Findings

1. HIGH Current-head GitHub Checks - Fix failed required checks before approval

  • Problem: Failed same-head checks remain for 820caedc000e81e3d64c147f94116e3f4915b43c.
  • Root cause: The model-unavailable evidence fallback is allowed only when peer GitHub Checks are complete and clean.
  • Fix: Read and fix the failed check logs below, then rerun the current-head checks.
  • Regression test: Keep the model-unavailable fallback gated on an empty failed-check rollup.

Failed checks:

Changed-File Evidence Map

flowchart LR
  PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
  Evidence --> S1["Changed file (2 files)"]
  S1 --> I1["repository behavior"]
  I1 --> R1["Review risk: Changed file (2 files)"]
  R1 --> V1["required checks"]
  Evidence --> S2["Backend (3 files)"]
  S2 --> I2["API and service runtime"]
  I2 --> R2["Review risk: Backend (3 files)"]
  R2 --> V2["backend tests"]
Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant