From 1076958bb326bd0a171626fc3cfb354a6d90d849 Mon Sep 17 00:00:00 2001 From: gonzaloriestra <14979109+gonzaloriestra@users.noreply.github.com> Date: Sat, 9 May 2026 00:36:05 +0000 Subject: [PATCH] [Security] Sanitize Cookie headers in debug logs Adds 'cookie' to the list of keywords to be sanitized in debug logs to prevent sensitive session data leakage. Includes unit tests to verify the sanitization of Cookie and Set-Cookie headers. --- packages/cli-kit/src/private/node/api/headers.test.ts | 2 ++ packages/cli-kit/src/private/node/api/headers.ts | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/packages/cli-kit/src/private/node/api/headers.test.ts b/packages/cli-kit/src/private/node/api/headers.test.ts index 13441e6a5a0..0e177446ca7 100644 --- a/packages/cli-kit/src/private/node/api/headers.test.ts +++ b/packages/cli-kit/src/private/node/api/headers.test.ts @@ -85,6 +85,8 @@ describe('common API methods', () => { authorization: 'token', 'Content-Type': 'application/json', 'X-Shopify-Access-Token': 'token', + Cookie: 'session=123', + 'Set-Cookie': 'session=456', } // When diff --git a/packages/cli-kit/src/private/node/api/headers.ts b/packages/cli-kit/src/private/node/api/headers.ts index 691505dc9e8..37145ac9c8a 100644 --- a/packages/cli-kit/src/private/node/api/headers.ts +++ b/packages/cli-kit/src/private/node/api/headers.ts @@ -33,7 +33,7 @@ export class GraphQLClientError extends RequestClientError { */ export function sanitizedHeadersOutput(headers: Record): string { const sanitized: Record = {} - const keywords = ['token', 'authorization', 'subject_token'] + const keywords = ['token', 'authorization', 'subject_token', 'cookie'] Object.keys(headers).forEach((header) => { if (keywords.find((keyword) => header.toLocaleLowerCase().includes(keyword)) === undefined) { sanitized[header] = headers[header]!