Skip to content

Security: stop leaking API credentials in Recon tools (URL token + process argv) #1314

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
klausagnoletti wants to merge 2 commits into
base: main
Choose a base branch
from
+16 −6
Open

Security: stop leaking API credentials in Recon tools (URL token + process argv) #1314

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e0856e4
Security: stop leaking API credentials in Recon tools
May 29, 2026
a27aa24
docs(security): clarify with_server.py shell=True trust model
May 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 8 additions & 3 deletions Packs/Security/src/Recon/Tools/IpinfoClient.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,10 +83,14 @@ export class IPInfoClient {
// Rate limiting
await this.rateLimit();

const url = `${this.baseUrl}/${ip}/json?token=${this.apiKey}`;
// Send the token via Authorization header, not the URL query string
// (URL params leak into proxy/server logs).
const url = `${this.baseUrl}/${ip}/json`;

try {
const response = await fetch(url);
const response = await fetch(url, {
headers: { Authorization: `Bearer ${this.apiKey}` },
});

if (!response.ok) {
if (response.status === 429) {
Expand Down Expand Up @@ -135,13 +139,14 @@ export class IPInfoClient {
// Rate limiting
await this.rateLimit();

const url = `${this.baseUrl}/batch?token=${this.apiKey}`;
const url = `${this.baseUrl}/batch`;

try {
const response = await fetch(url, {
method: "POST",
headers: {
"Content-Type": "application/json",
Authorization: `Bearer ${this.apiKey}`,
},
body: JSON.stringify(uncachedIPs),
});
Expand Down
4 changes: 3 additions & 1 deletion Packs/Security/src/Recon/Tools/SubdomainEnum.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,9 @@ async function runChaos(domain: string): Promise<string[]> {
return [];
}
try {
const result = await $`chaos -key ${key} -d ${domain} -silent`.text();
// chaos reads PDCP_API_KEY from the environment; passing -key would expose
// the credential in the process argument list (visible via ps/proc).
const result = await $`chaos -d ${domain} -silent`.env({ ...process.env, PDCP_API_KEY: key }).text();
return result.trim().split("\n").filter(Boolean);
} catch {
console.error("[chaos] Failed");
Expand Down
7 changes: 5 additions & 2 deletions Packs/Security/src/WebAssessment/WebappScripts/with_server.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,10 +65,13 @@ def main():
for i, server in enumerate(servers):
print(f"Starting server {i+1}/{len(servers)}: {server['cmd']}")

# Use shell=True to support commands with cd and &&
# shell=True is intentional: this is a local developer helper and `server['cmd']`
# is the operator's own --server argument (needs cd/&& support). The command is
# already operator-controlled at the same trust level as the shell invoking this
# script, so there is no privilege boundary to cross. Do NOT pass untrusted input here.
process = subprocess.Popen(
server['cmd'],
shell=True,
shell=True, # nosec B602 - operator-supplied local command, see note above
stdout=subprocess.PIPE,
stderr=subprocess.PIPE
)
Expand Down