Skip to content

fix(security): strip Basic Auth credentials from HTTP request logs and sanitize upload filenames#2469

Open
beejak wants to merge 1 commit intobaptisteArno:mainfrom
beejak:fix/credential-leak-in-http-request-logs
Open

fix(security): strip Basic Auth credentials from HTTP request logs and sanitize upload filenames#2469
beejak wants to merge 1 commit intobaptisteArno:mainfrom
beejak:fix/credential-leak-in-http-request-logs

Conversation

@beejak
Copy link
Copy Markdown

@beejak beejak commented Apr 20, 2026

Summary

Two security issues found in the HTTP request block execution path and file upload URL generation.

1. Basic Auth credentials leaked in execution logs (High)

executeHttpRequestBlock.ts extracts username and password from the Authorization: Basic ... header into a basicAuth object and spreads it onto the request object. That same request object is then serialized verbatim into every log entry — success, HTTP error, timeout, and unknown error.

Anyone with access to bot execution logs (the bot owner, workspace admins, or anyone with log storage access) can read plaintext passwords from any HTTP block that uses Basic Auth.

Before:

logs.push({
  status: "success",
  details: JSON.stringify({ statusCode: response.status, response: body, request }),
  //                                                                       ^ includes username + password
});

After:

const safeRequest = omit(request, "username", "password");
// safeRequest used in all logs; original request used for the actual call

2. Unsanitized filename in S3 key construction (Medium)

handleGenerateUploadUrl.ts incorporates the user-supplied fileName directly into the S3 object key and the fileUrl returned to the client without any sanitization. While S3 doesn't resolve ../ as filesystem traversal, the raw filename could contain path separators that produce unexpected key structures or confuse downstream URL parsing.

Fix: basename(fileName) applied before building the key, stripping any directory components.

Test plan

  • HTTP block with Basic Auth: execution logs should show headers and url but no username/password fields
  • File upload with filename ../../../evil.txt — S3 key and returned fileUrl should use evil.txt only
  • Normal HTTP block execution and file upload continue to work as before

🤖 Generated with Claude Code

@beejak
fix(security): strip Basic Auth credentials from HTTP request logs an…
fd91d2f 
…d sanitize upload filenames

Basic Auth credentials (username/password) extracted from request
headers were included in the request object and serialized verbatim
into execution logs. Any user with log access — including bot owners
reviewing their execution history — could read plaintext passwords.

A safeRequest object omitting username/password is now passed to all
log entries while the original request (with credentials) is still
used for the actual HTTP call.

Additionally, user-supplied file names in upload URL generation were
used without sanitization. basename() is now applied to strip any
directory components before constructing the S3 key and file URL.

Some code in this commit was written with assistance from a developer using AI tooling.
@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 20, 2026

@beejak is attempting to deploy a commit to the Typebot Team on Vercel.

A member of the Team first needs to authorize it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@beejak