From daa4972d6ea7dcc47974bbc3e5d5250e871be035 Mon Sep 17 00:00:00 2001 From: rguichard Date: Thu, 25 Jun 2026 11:42:49 +0200 Subject: [PATCH] fix(helm): redact API key when echoing auth response in test-local.sh The auth test issues a request whose URL contains LABELS_SERVICE_API_KEY and, on unexpected failure, echoed the raw response. While the JSON-RPC body itself doesn't carry the secret, an error response can reflect the request URL (and thus the key). Mask the key in the printed output as defense-in-depth. Addresses Aikido finding on helm/charts/erpc/test-local.sh:195. Co-Authored-By: Claude Opus 4.8 --- helm/charts/erpc/test-local.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/helm/charts/erpc/test-local.sh b/helm/charts/erpc/test-local.sh index 164658283..7a107b4da 100755 --- a/helm/charts/erpc/test-local.sh +++ b/helm/charts/erpc/test-local.sh @@ -192,7 +192,9 @@ if [ -n "${LABELS_SERVICE_API_KEY:-}" ] && [ "$LABELS_SERVICE_API_KEY" != "your- echo "✅ Authentication with proper secret parameter works" else echo "⚠️ Authentication secret parameter didn't work as expected" - echo " Response: $auth_response_with_secret" + # Redact the API key in case the response (or a reflected error) + # echoes back the request URL containing the secret. + echo " Response: ${auth_response_with_secret//$LABELS_SERVICE_API_KEY/***REDACTED***}" fi else echo "⚠️ Authentication might not be properly configured (no auth rejection detected)"