Secure coding improvements, pr number 1#391
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request significantly enhances application security by implementing credential redaction in logs and strengthening Kubernetes deployment configurations. Specifically, a new _redact utility and associated regex patterns were introduced in mcp_server/gateway.py to prevent sensitive data like API keys and tokens from appearing in log outputs, with comprehensive unit tests added for validation. The set_litellm_debug function was updated to prevent token leakage by requiring an explicit environment variable for debug logging and adding a clear warning. Furthermore, all Kubernetes deployment files were updated to enforce runAsNonRoot: true and apply a default seccompProfile for improved runtime security. A review comment suggested making the _REDACT_PATTERNS a frozenset to ensure its immutability.
Signed-off-by: Tomas Tomecek <ttomecek@redhat.com> Assisted-by: Claude
Signed-off-by: Tomas Tomecek <ttomecek@redhat.com> Assisted-by: Claude
TomasTomecek
force-pushed
the
secure-coding-1
branch
from
5289208 to
d9b604d
Compare
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces several security enhancements, including the integration of detect-secrets into the pre-commit workflow, the addition of a redaction mechanism to mask sensitive credentials in logs, and the hardening of OpenShift deployments with non-root security contexts. Feedback focuses on refining the redaction regex to prevent destructive string replacement, consolidating duplicate sanitization logic into a shared utility, and strengthening unit tests to verify that redacted strings preserve their original structure.
Signed-off-by: Tomas Tomecek <ttomecek@redhat.com> Assisted-by: Claude
Signed-off-by: Tomas Tomecek <ttomecek@redhat.com> Assisted-by: Claude
TomasTomecek
force-pushed
the
secure-coding-1
branch
from
d9b604d to
5bfd68c
Compare
| # Bearer tokens in URLs or strings | ||
| re.compile(r"oauth2:[^@\s]+@"), | ||
| # Testing Farm API tokens (UUID format) | ||
| re.compile(r"[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", re.IGNORECASE), |
There was a problem hiding this comment.
I'm curious if this won't cause trouble when logging e.g. Celery task IDs (if we decide to use Celery).
There was a problem hiding this comment.
great point Nikola; I expect that we'll update the regexes in the future or even the logging mechanism
3 participants
I will send more with followup PRs. There were even more changes here but decided to split/cut them because I didn't like Claude's proposals.
Claude's detailed overview:
2. Add credential redaction to MCP gateway logs (HIGH)
Files:
mcp_server/gateway.py,mcp_server/tests/unit/test_gateway.pyAdded
_redact()function with regex patterns matching common credential formats:glpat-...)sk-ant-...)AIzaSy...)oauth2:...@)The
log_tool_calldecorator now redacts all tool arguments and error messages before logging.Test coverage: 20 unit tests covering pattern matching, edge cases, and real-world scenarios.
3. Add LITELLM_DEBUG environment variable guard (HIGH)
Files:
agents/utils.py,templates/beeai-agent.envset_litellm_debug()now checks forLITELLM_DEBUGenv var before enabling debug mode. If not set, logs a warning and returns without enabling token-leaking debug output.Added comprehensive documentation explaining the security risk and usage.
5. Add SecurityContext to K8s deployments (LOW)
Files:
openshift/deployment-*.yml(10 files)Replaced empty
securityContext: {}with:Matches the pattern already used in cronjob manifests.