Skip to main content
info

This documentation is automatically synchronized from the claude-hub repository. Last updated: 2025-06-01

Credential Security Implementation

This document describes the security measures implemented to prevent credential leaks in webhook responses.

Overview

The webhook service handles sensitive credentials including:

  • GitHub tokens (GITHUB_TOKEN)
  • AWS access keys (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
  • Other environment variables

Security Measures Implemented

1. Docker Command Sanitization

In src/services/claudeService.ts:

  • Docker commands are sanitized before logging
  • Sensitive environment variables are replaced with [REDACTED]
  • Sanitized commands are used in all error messages
const sanitizedCommand = dockerCommand.replace(/-e [A-Z_]+=\"[^\"]*\"/g, (match) => {
  const envKey = match.match(/-e ([A-Z_]+)=\"/)[1];
  const sensitiveKeys = ['GITHUB_TOKEN', 'AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY'];
  if (sensitiveKeys.includes(envKey)) {
    return `-e ${envKey}="[REDACTED]"`;
  }
  return match;
});

2. Output Sanitization

  • stderr and stdout are sanitized to remove any credential values
  • All occurrences of sensitive values are replaced with [REDACTED]
  • Sanitized output is used in error messages and logs

3. Logger Redaction

In src/utils/logger.ts:

  • Pino logger configured with comprehensive redaction paths
  • Automatically redacts sensitive fields in log output
  • Covers nested objects and various field patterns

4. Error Response Sanitization

In src/controllers/githubController.ts:

  • Only error messages (not full stack traces) are sent to GitHub
  • No raw stderr/stdout is exposed in webhook responses
  • Generic error messages for internal server errors

Testing

Several test scripts verify the security implementation:

  • test/test-credential-leak.js - Tests sanitization logic
  • test/test-webhook-credentials.js - Tests webhook behavior
  • test/test-logger-redaction.js - Tests logger redaction

Best Practices

  1. Never log raw Docker commands with environment variables
  2. Always sanitize error output before sending to external services
  3. Use the logger's built-in redaction for all sensitive fields
  4. Test credential handling with mock values regularly
  5. Review error messages to ensure no sensitive data is exposed