From 8ee60a1b3971da08412c8eb1df49a4bfb0cadf8a Mon Sep 17 00:00:00 2001 From: gonzaloriestra <14979109+gonzaloriestra@users.noreply.github.com> Date: Wed, 13 May 2026 00:36:27 +0000 Subject: [PATCH] [Security] Redact cookies in sanitized headers output The `sanitizedHeadersOutput` function in `packages/cli-kit/src/private/node/api/headers.ts` is used to remove sensitive information from headers before outputting them (e.g., in debug logs). Previously, it only redacted headers containing 'token', 'authorization', or 'subject_token'. This change adds 'cookie' to the list of redacted keywords to ensure that sensitive session data in `Cookie` and `Set-Cookie` headers is also protected from accidental leakage in logs. A regression test has been added to `packages/cli-kit/src/private/node/api/headers.test.ts` to verify the fix. --- packages/cli-kit/src/private/node/api/headers.test.ts | 2 ++ packages/cli-kit/src/private/node/api/headers.ts | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/packages/cli-kit/src/private/node/api/headers.test.ts b/packages/cli-kit/src/private/node/api/headers.test.ts index 13441e6a5a0..7ba107cf252 100644 --- a/packages/cli-kit/src/private/node/api/headers.test.ts +++ b/packages/cli-kit/src/private/node/api/headers.test.ts @@ -85,6 +85,8 @@ describe('common API methods', () => { authorization: 'token', 'Content-Type': 'application/json', 'X-Shopify-Access-Token': 'token', + Cookie: 'session=abc', + 'Set-Cookie': 'session=abc', } // When diff --git a/packages/cli-kit/src/private/node/api/headers.ts b/packages/cli-kit/src/private/node/api/headers.ts index 691505dc9e8..37145ac9c8a 100644 --- a/packages/cli-kit/src/private/node/api/headers.ts +++ b/packages/cli-kit/src/private/node/api/headers.ts @@ -33,7 +33,7 @@ export class GraphQLClientError extends RequestClientError { */ export function sanitizedHeadersOutput(headers: Record): string { const sanitized: Record = {} - const keywords = ['token', 'authorization', 'subject_token'] + const keywords = ['token', 'authorization', 'subject_token', 'cookie'] Object.keys(headers).forEach((header) => { if (keywords.find((keyword) => header.toLocaleLowerCase().includes(keyword)) === undefined) { sanitized[header] = headers[header]!