Redact user code and response data from Code.run debug logs (CWE-532)#13
Closed
sebastiondev wants to merge 1 commit into
Closed
Redact user code and response data from Code.run debug logs (CWE-532)#13sebastiondev wants to merge 1 commit into
sebastiondev wants to merge 1 commit into
Conversation
Code.run() previously logged the full code body and full response data
in plaintext via log_operation_start() and log_operation_success().
In agent frameworks where code may contain secrets, API keys, or
credentials, this creates a credential harvesting vector for anyone
with log access.
Changes:
- Replace Code={code} with CodeLength={len(code)} in operation start log
- Replace ResponseData={result.data} with RequestId={result.request_id}
in operation success log
This follows the same pattern used by Command.execute which logs
command metadata without dumping the full content.
|
Closing this to reduce the open-PR pile-up — we have multiple outstanding security contributions to this repo and that volume is not fair on your review queue. Keeping #11 (fix: reject symlinks in extension upload to prevent arbitrary file exfiltration ) as the primary one to focus attention on. Happy to revisit this finding separately later if it is still relevant. Apologies for the noise. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
Code.run()method in bothagb/modules/code.pyandpython/agb/modules/code.pylogs the full user-supplied code and the full response data throughlog_operation_start/log_operation_success. These calls emit at DEBUG level via loguru. When debug logging is enabled (e.g.AGB_LOG_LEVEL=DEBUG, a common troubleshooting setting), the logs end up containing whatever the caller passes to the sandbox and whatever the sandbox returns — which in practice often includes API keys, tokens, query results, file contents, and other data that callers reasonably expect to remain in-process.This is a CWE-532 (Insertion of Sensitive Information into Log File) issue.
Affected:
agb/modules/code.py—Code.run()python/agb/modules/code.py—Code.run()(mirrored copy)Data flow:
Code.run(code=..., language=...)with code that may embed secrets or process sensitive inputs.log_operation_start("Code.run", f"...Code={code}")writes the full source to the logger.log_operation_success("Code.run", f"ResponseData={result.data}")writes the full execution output.Fix
Replace the sensitive payloads with non-sensitive metadata that still preserves debugging value:
Code={code}→CodeLength={len(code)}ResponseData={result.data}→RequestId={result.request_id}The request ID is already used elsewhere as the correlation handle for support/debugging, and code length is sufficient to confirm the call shape without leaking content. The parsed result is still returned to the caller unchanged — only the log line is redacted.
Test results
Language,TimeoutS,CodeLength,RequestId) at the same levels as before.Why this is worth fixing
Before submitting, we tried to disprove the finding. The main mitigation candidates would be (a) loguru's default level filtering out these records, or (b) the SDK never being run with debug logging in environments where logs are retained. Neither holds up:
AGBLogger.set_level("DEBUG")and theAGB_LOG_LEVELenv var are documented entry points, debug logging is routinely enabled when diagnosing sandbox failures (which is exactly when the executed code matters), and loguru sinks frequently include rotating files or stdout captured by orchestrators. There is no scrubbing layer between these log calls and the sinks, so once DEBUG is on, the secrets are written verbatim. Exploitation requires DEBUG logging plus log access rather than being a remote-trigger bug, so severity is moderate — but the fix is one-line-per-site and removes the exposure entirely.Diff scope
Two files, 7 insertions / 10 deletions. No dependency, config, or API changes.
cc @lewiswigmore