Skip to content

fix: omit authorization from request debug dumps#8768

Open
officialasishkumar wants to merge 1 commit into
NousResearch:mainfrom
officialasishkumar:fix/redact-request-dump-auth
Open

fix: omit authorization from request debug dumps#8768
officialasishkumar wants to merge 1 commit into
NousResearch:mainfrom
officialasishkumar:fix/redact-request-dump-auth

Conversation

@officialasishkumar
Copy link
Copy Markdown

@officialasishkumar officialasishkumar commented Apr 13, 2026

What does this PR do?

Removes the Authorization header from request debug dump files written by _dump_api_request_debug().

The dump is meant to help diagnose provider request failures, but it does not need to persist credential material. Omitting the header entirely avoids exposing even partially masked API keys in request_dump_*.json files while preserving the request URL, content type, body, and error context needed for debugging.

Related Issue

Fixes #8518

Type of Change

  • 🐛 Bug fix (non-breaking change that fixes an issue)
  • ✨ New feature (non-breaking change that adds functionality)
  • 🔒 Security fix
  • 📝 Documentation update
  • ✅ Tests (adding or improving test coverage)
  • ♻️ Refactor (no behavior change)
  • 🎯 New skill (bundled or hub)

Changes Made

  • Removed API key extraction from _dump_api_request_debug() in run_agent.py.
  • Removed Authorization from the persisted debug dump header payload.
  • Added a regression test that writes a dump and verifies no full or partial API key material appears in the serialized JSON.

How to Test

  1. Run: 
    python -m pytest tests/run_agent/test_run_agent.py::TestApiRequestDebugDump tests/run_agent/test_run_agent.py::TestMaskApiKey -q -o addopts=''
  2. Confirm the dump contains only Content-Type under request headers.
  3. Confirm the serialized dump does not contain Authorization or API key fragments.

Checklist

Code

  • I've read the Contributing Guide
  • My commit messages follow Conventional Commits (fix(scope):, feat(scope):, etc.)
  • I searched for existing PRs to make sure this isn't a duplicate
  • My PR contains only changes related to this fix/feature (no unrelated commits)
  • I've run pytest tests/ -q and all tests pass
  • I've added tests for my changes (required for bug fixes, strongly encouraged for features)
  • I've tested on my platform: Ubuntu Linux 6.8 x86_64

Documentation & Housekeeping

  • I've updated relevant documentation (README, docs/, docstrings) — or N/A
  • I've updated cli-config.yaml.example if I added/changed config keys — or N/A
  • I've updated CONTRIBUTING.md or AGENTS.md if I changed architecture or workflows — or N/A
  • I've considered cross-platform impact (Windows, macOS) per the compatibility guide — or N/A
  • I've updated tool descriptions/schemas if I changed tool behavior — or N/A

For New Skills

N/A

Screenshots / Logs

Targeted test output:

4 passed, 1 warning in 1.47s

@alt-glitch alt-glitch added type/security Security vulnerability or hardening P0 Critical — data loss, security, crash loop comp/agent Core agent loop, run_agent.py, prompt builder labels Apr 28, 2026
@alt-glitch
Copy link
Copy Markdown
Collaborator

alt-glitch commented Apr 28, 2026

Likely duplicate of #8533 — both strip Authorization header from _dump_api_request_debug() debug dumps to fix #8518.

@alt-glitch alt-glitch mentioned this pull request May 2, 2026
Open
1 task
@zons-zhaozhy zons-zhaozhy mentioned this pull request May 2, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

comp/agent Core agent loop, run_agent.py, prompt builder P0 Critical — data loss, security, crash loop type/security Security vulnerability or hardening

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security] API key exposed in request debug dumps via incomplete masking

2 participants

@officialasishkumar @alt-glitch