Skip to content

fix: don't show full api key in logs #5162

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 7, 2025
Merged

fix: don't show full api key in logs #5162

merged 1 commit into from
Aug 7, 2025

Conversation

wenxi-onyx
Copy link
Member

@wenxi-onyx wenxi-onyx commented Aug 7, 2025
edited
Loading

Description

title

How Has This Been Tested?

locally

Backporting (check the box to trigger backport action)

Note: You have to check that the action passes, otherwise resolve the conflicts manually and tag the patches.

  • This PR should be backported (make sure to check that the backport attempt succeeds)
  • [Optional] Override Linear Check

Summary by cubic

API keys are now masked in logs to prevent exposing full keys during model configuration logging.

@wenxi-onyx wenxi-onyx requested a review from a team as a code owner August 7, 2025 02:01
@vercel Vercel
Copy link

vercel bot commented Aug 7, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
internal-search ✅ Ready (Inspect) Visit Preview 💬 Add feedback Aug 7, 2025 2:05am

greptile-apps[bot]
greptile-apps bot reviewed Aug 7, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Greptile Summary

This PR addresses a critical security vulnerability where API keys were being exposed in debug logs. The fix modifies the log_model_configs method in the DefaultMultiLLM class to use a masked version of the configuration instead of logging the raw config.

The change introduces a _safe_model_config method that creates a sanitized copy of the configuration where the API key is masked using the existing mask_string utility function (which shows only the last 4 characters). The log_model_configs method now calls this safe version instead of directly logging self.config.

This fix is essential for maintaining security best practices in production environments where log files could be accessed by multiple parties. The implementation preserves the debugging functionality while preventing sensitive credentials from appearing in application logs. The code reorganization moves _safe_model_config above log_model_configs to satisfy the dependency relationship between these methods.

Confidence score: 5/5

  • This PR is extremely safe to merge with no risk of production issues
  • Score reflects a straightforward security fix with clear implementation and no complex logic changes
  • No files require special attention as this is a focused security improvement

1 file reviewed, no comments

Edit Code Review Bot Settings | Greptile

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Aug 7, 2025
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cubic analysis

No issues found across 1 file. Review in cubic

evan-onyx
evan-onyx approved these changes Aug 7, 2025
View reviewed changes
Copy link
Contributor

@evan-onyx evan-onyx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

generally our debug logs are "unsafe" atm but I'm in favor of making them more secure overall

@Weves Weves merged commit e1a305d into main Aug 7, 2025
17 of 20 checks passed
@Weves Weves deleted the bugfix/dont_log_llm_api_key branch August 7, 2025 07:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@evan-onyx evan-onyx evan-onyx approved these changes

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@wenxi-onyx @evan-onyx @Weves