Adawg4 / openapi-autospec

Proxy server that generates API specs for any app or website on localhost.
http://portway.ai
632 stars 16 forks source link

Potential of leaking secrets #1

Closed nickpadovani closed 2 months ago

nickpadovani commented 7 months ago

To preface - this tool is awesome, however a suggestion for improvement -- it seems the app properly recognizes authorization / security schemes based on:

Screenshot 2024-03-25 at 9 33 10 PM

However, I think given it recognizes this, it should obfuscate, omit, or remove the actual secret it intercepts (in this case a bearer token):

Screenshot 2024-03-25 at 9 34 16 PM

Assuming someone had GHAS or other security scanning turned on, it would get caught, but if someone blindly committed the output documentation and didn't have this kind of scanning, they could have a bad time (especially in a public repo).

japentaca commented 7 months ago

I think the objetive of this tool is for development environments, where secrets are known from the same people who will get the results from the tool. Anyway, some kind of redaction dictionary functionality would be good.