AntFleet

Disagreement · bdb643be-openai-0

Logging OAuth/JWT token prefixes leaks sensitive information to logs

solo GPT-5
repo 7e34f3ef·PR #1·reviewed 1 week ago

GPT-5 finding

Logging OAuth/JWT token prefixes leaks sensitive information to logs

mediumsecurityhigh
  • src/bridge/jwtUtils.ts
  • src/bridge/jwtUtils.ts
Even partial token values are sensitive and can be abused in some environments (e.g., if logs are accessible to other processes or uploaded to external services). Multiple log statements intentionally include the first 15 characters of tokens. This violates least-privilege for observable data and increases risk of credential exposure.

Recommendation

Never log any portion of tokens. Replace with constant strings like 'present' or use a constant-length masking (e.g., '<redacted>') without including characters from the token. Remove all uses of token.slice() in log output.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →
← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗