Skip to content

mask credentials in malwarelist urls and prevent log poisoning#386

Open
123Haynes wants to merge 1 commit into
AikidoSec:mainfrom
123Haynes:fix_malware-list-logging
Open

mask credentials in malwarelist urls and prevent log poisoning#386
123Haynes wants to merge 1 commit into
AikidoSec:mainfrom
123Haynes:fix_malware-list-logging

Conversation

@123Haynes
Copy link
Copy Markdown
Contributor

@123Haynes 123Haynes commented Apr 3, 2026
edited by aikido-pr-checks Bot
Loading

@bitterpanda63 a small followup to #365 that i missed yesterday.
Since users can now provide custom malware list urls, it is also possible that they provide URLs with basic auth credentials if their mirror requires these.
We don't want to log these credentials.
I also added some basic protection against log poisoning since this is a user provided value.

Current behaviour: safe-chain may log this: https://user:pass@cli-mirror.com\nmalicious
With this pr it will log this: https://***@cli-mirror.commalicious

Summary by Aikido

Security Issues: 0 Quality Issues: 0 Resolved Issues: 0

⚡ Enhancements

  • Added function to mask credentials and remove control characters.
  • Replaced malware list logging with masked URLs to prevent credential exposure.

More info

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@123Haynes