From f6849391ed704a55d398f1c7ca9dbd2d662ba0f0 Mon Sep 17 00:00:00 2001 From: gonzaloriestra <14979109+gonzaloriestra@users.noreply.github.com> Date: Sun, 10 May 2026 00:55:42 +0000 Subject: [PATCH] [Security] Sanitize Cookie headers in debug logs This PR enhances the `sanitizedHeadersOutput` utility to redact `Cookie` and `Set-Cookie` headers from debug logs. This prevents sensitive session data from being accidentally exposed when debug logging is enabled. Summary of changes: - Added `'cookie'` to the list of redacted keywords in `packages/cli-kit/src/private/node/api/headers.ts`. - Updated unit tests in `packages/cli-kit/src/private/node/api/headers.test.ts` to verify the redaction of cookie headers. Duplicate check: The query `gh pr list --repo Shopify/cli --state all --limit 200 --search 'label:"Jules" "Security" in:title' --json number,title,state,url,body,files` was not executable in this environment, but a search of git logs for "[Security]" PRs was performed. Closest prior PR: - [Security] Sanitize Cookie headers in debug logs (1076958bb) - This appears to be a previous attempt at the same issue, but I am implementing it on the current codebase which did not have these changes. How to test your changes? Run any command that performs a network request with cookies while debug logging is enabled (e.g. `SHOPIFY_CLI_LOG_LEVEL=debug shopify app dev`). Verify that `Cookie` or `Set-Cookie` headers are not visible in the console output. Alternatively, run the unit tests: `pnpm --filter @shopify/cli-kit vitest run src/private/node/api/headers.test.ts` --- packages/cli-kit/src/private/node/api/headers.test.ts | 2 ++ packages/cli-kit/src/private/node/api/headers.ts | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/packages/cli-kit/src/private/node/api/headers.test.ts b/packages/cli-kit/src/private/node/api/headers.test.ts index 13441e6a5a0..0e177446ca7 100644 --- a/packages/cli-kit/src/private/node/api/headers.test.ts +++ b/packages/cli-kit/src/private/node/api/headers.test.ts @@ -85,6 +85,8 @@ describe('common API methods', () => { authorization: 'token', 'Content-Type': 'application/json', 'X-Shopify-Access-Token': 'token', + Cookie: 'session=123', + 'Set-Cookie': 'session=456', } // When diff --git a/packages/cli-kit/src/private/node/api/headers.ts b/packages/cli-kit/src/private/node/api/headers.ts index 691505dc9e8..37145ac9c8a 100644 --- a/packages/cli-kit/src/private/node/api/headers.ts +++ b/packages/cli-kit/src/private/node/api/headers.ts @@ -33,7 +33,7 @@ export class GraphQLClientError extends RequestClientError { */ export function sanitizedHeadersOutput(headers: Record): string { const sanitized: Record = {} - const keywords = ['token', 'authorization', 'subject_token'] + const keywords = ['token', 'authorization', 'subject_token', 'cookie'] Object.keys(headers).forEach((header) => { if (keywords.find((keyword) => header.toLocaleLowerCase().includes(keyword)) === undefined) { sanitized[header] = headers[header]!