stability: redact tokens from logs and error responses #5

Open
opened 2026-05-23 18:30:22 +00:00 by Klaus · 0 comments
Owner

Problem

In debug mode (GITEA_DEBUG=true), pkg/to/to.go and pkg/log log marshalled tool inputs/results. Some tool inputs include an Authorization header pass-through; error bodies from the Gitea SDK can also echo URLs containing the token in query params for older clients. Today there is no sanitizer — a debug log file (~/.gitea-mcp/gitea-mcp.log) shipped from a customer environment could leak credentials.

Suggested direction

  • Add a small redactor in pkg/log that strips Authorization: headers, token=... query params, and anything matching common bearer-token patterns before writing
  • Apply it in both the debug request/response logger and the error-formatting path
  • Add a unit test that feeds a known token through and asserts it is replaced with ***
## Problem In debug mode (`GITEA_DEBUG=true`), `pkg/to/to.go` and `pkg/log` log marshalled tool inputs/results. Some tool inputs include an `Authorization` header pass-through; error bodies from the Gitea SDK can also echo URLs containing the token in query params for older clients. Today there is no sanitizer — a debug log file (`~/.gitea-mcp/gitea-mcp.log`) shipped from a customer environment could leak credentials. ## Suggested direction - Add a small redactor in `pkg/log` that strips `Authorization:` headers, `token=...` query params, and anything matching common bearer-token patterns before writing - Apply it in both the debug request/response logger and the error-formatting path - Add a unit test that feeds a known token through and asserts it is replaced with `***`
Sign in to join this conversation.
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Klaus/gitea-mcp#5