mirror of
https://github.com/dograh-hq/dograh.git
synced 2026-06-13 08:15:21 +02:00
ecb331a53c
contains_masked_key() guards against persisting a still-masked secret by
checking for the MASK_MARKER ("***") substring. But mask_key() only emits
3+ consecutive asterisks for keys longer than VISIBLE_CHARS + 2. For short
secrets it emits fewer: e.g. mask_key("EMPTY") == "*MPTY" (a single
asterisk). Such masked values slip past the guard, so a dashboard
"save without editing" round-trips the masked display string back and
overwrites the real stored value with e.g. "*MPTY".
This bites self-hosted/OpenAI-compatible providers that use a short
no-validate sentinel api_key such as "EMPTY".
Match the full shape mask_key() produces — a run of MASK_CHAR followed by
at most VISIBLE_CHARS revealed characters — in addition to the legacy
marker. Verified: masked short secrets ("*MPTY", "*", "*ykey") are now
detected while real unmasked values ("EMPTY", "sk-live-abcd", ...) are
not, so there are no false positives.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
||
|---|---|---|
| .. | ||
| alembic | ||
| assets | ||
| db | ||
| errors | ||
| mcp_server | ||
| native/rnnoise | ||
| routes | ||
| schemas | ||
| services | ||
| tasks | ||
| tests | ||
| utils | ||
| .cursorignore | ||
| .dockerignore | ||
| .env.example | ||
| .env.test.example | ||
| .gitignore | ||
| __init__.py | ||
| AGENTS.md | ||
| alembic.ini | ||
| app.py | ||
| CLAUDE.md | ||
| conftest.py | ||
| constants.py | ||
| Dockerfile | ||
| enums.py | ||
| logging_config.py | ||
| pyproject.toml | ||
| pytest.ini | ||
| requirements.dev.txt | ||
| requirements.txt | ||
| sdk_expose.py | ||