Disagreement · 6017bf3f-anthropic-4

OAuth/API-key classification can mislabel keys and write to the wrong secret

solo Opus

repo 6f7fc663·PR #25·reviewed 1 week ago

Opus finding

OAuth/API-key classification can mislabel keys and write to the wrong secret

mediumbughigh

dashboard/app/api/auth/route.ts:60-71

Any non-empty body.key that does not start with `sk-ant-oat` (including typos, blanks-with-stray-chars, random strings, or future Anthropic key prefixes) is assumed to be an API key and silently written to ANTHROPIC_API_KEY. There is no validation that the value matches `sk-ant-api...` or any sane format/length. Users can easily blow away a working ANTHROPIC_API_KEY with garbage, and the response cheerfully says `{ ok: true, method: 'api-key' }`.

Recommendation

Validate the key shape: require `/^sk-ant-(oat|api)-[A-Za-z0-9_-]{20,}$/` (or whatever Anthropic's current shape is). Reject otherwise with 400.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreements view public receipts see unanimous findings + anatomies →

Tweet ↗