mirror of
https://github.com/dograh-hq/dograh.git
synced 2026-06-13 08:15:21 +02:00
ecb331a53c
contains_masked_key() guards against persisting a still-masked secret by
checking for the MASK_MARKER ("***") substring. But mask_key() only emits
3+ consecutive asterisks for keys longer than VISIBLE_CHARS + 2. For short
secrets it emits fewer: e.g. mask_key("EMPTY") == "*MPTY" (a single
asterisk). Such masked values slip past the guard, so a dashboard
"save without editing" round-trips the masked display string back and
overwrites the real stored value with e.g. "*MPTY".
This bites self-hosted/OpenAI-compatible providers that use a short
no-validate sentinel api_key such as "EMPTY".
Match the full shape mask_key() produces — a run of MASK_CHAR followed by
at most VISIBLE_CHARS revealed characters — in addition to the legacy
marker. Verified: masked short secrets ("*MPTY", "*", "*ykey") are now
detected while real unmasked values ("EMPTY", "sk-live-abcd", ...) are
not, so there are no false positives.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
||
|---|---|---|
| .. | ||
| options | ||
| __init__.py | ||
| check_validity.py | ||
| defaults.py | ||
| masking.py | ||
| merge.py | ||
| registry.py | ||
| resolve.py | ||