Skip to content

fix: apply redaction before SSE broadcast in _execute_command #1678

Open
ionfwsrijan wants to merge 2 commits into
utksh1:mainfrom
ionfwsrijan:fix/1624-sse-unredacted-secrets
Open

fix: apply redaction before SSE broadcast in _execute_command #1678
ionfwsrijan wants to merge 2 commits into
utksh1:mainfrom
ionfwsrijan:fix/1624-sse-unredacted-secrets

Conversation

@ionfwsrijan

Copy link
Copy Markdown
Contributor

Description

The task output streaming endpoint broadcasts scanner output via SSE before the redact() function is applied, exposing API keys, passwords, tokens, and private keys to authorized clients viewing live output.

Changes

  1. backend/secuscan/executor.py:_execute_command() — Apply redact() to each decoded line before appending it to the output buffer and before broadcasting via SSE. This ensures the live stream and in-memory buffer only contain redacted content.
  2. testing/backend/unit/test_executor.py — Add test_execute_command_redacts_secrets_before_broadcast to verify known secret patterns (Bearer tokens, API keys) are redacted from SSE events.
  3. The existing redact() call at line 599 (file write) is retained as defense-in-depth — redact() is idempotent.

Impact

  • Authorized clients viewing live task output via SSE no longer see unredacted secrets
  • The output_lines in-memory buffer now contains only redacted content
  • The result API endpoint (reads from file which was already redacted) remains safe

Files Changed

  • backend/secuscan/executor.py — 3 lines changed (redact before broadcast/append)
  • testing/backend/unit/test_executor.py — New test added

Closes #1624

@ionfwsrijan

Copy link
Copy Markdown
Contributor Author

@utksh1 Please review this. The failing check is pre-exisiting

@utksh1 utksh1 left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Applying redaction before SSE broadcast is correct, but backend-unit CI is failing and the branch has merge conflicts. Please rebase on latest main, fix the failing tests, and push again.

@utksh1 utksh1 added level:intermediate 35 pts difficulty label for moderate contributor PRs type:security Security work category bonus label type:bug Bug fix work category bonus label area:backend Backend API, database, or service work area:security Security-sensitive implementation or tests labels Jul 9, 2026
…#1624)

- Redact each decoded line before appending to output_lines and before
  broadcasting to SSE stream listeners
- Add test_execute_command_redacts_secrets_before_broadcast to verify
  that known secret patterns are redacted from stream events
- The raw_output_path file redaction (line 599) remains as defense-in-depth
@ionfwsrijan ionfwsrijan force-pushed the fix/1624-sse-unredacted-secrets branch from 7cbe9d2 to 653efe9 Compare July 10, 2026 01:40
@ionfwsrijan

Copy link
Copy Markdown
Contributor Author

@utksh1 Please review this now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area:backend Backend API, database, or service work area:security Security-sensitive implementation or tests level:intermediate 35 pts difficulty label for moderate contributor PRs type:bug Bug fix work category bonus label type:security Security work category bonus label

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] SSE Live Output Stream Exposes Unredacted Secrets to Authorized Clients

2 participants