SECURITY: Sensitive Data Exposure in HTML Reports and Error Messages

[jeremyeder]

Vulnerability Summary

Severity: MEDIUM (CVSS 5.5)
CWE: CWE-532 (Information Exposure Through Log Files), CWE-209 (Information Exposure Through Error Messages)
Locations: reporters/html.py, various error handlers
Impact: Leakage of sensitive paths, credentials, and system information

Description

HTML reports and error messages may expose sensitive information:

1. Absolute file paths in repository metadata
2. User home directories in file paths
3. System information in error stack traces
4. API keys in error messages (partially mitigated)
5. Commit hashes (full hash, should be shortened)
6. Command-line arguments in metadata (may contain secrets)

Vulnerability Analysis

1. Full Path Exposure in Reports

<!-- report.html.j2:538 -->
<div class="info-line">📁 {{ repository.path }}</div>
<!-- Exposes: /Users/jeremy/secret-project/src -->

2. Command Arguments in Metadata

# scanner.py:124 - Captures full command line
command = " ".join(sys.argv)
# Could include: agentready assess /secret/path --config /home/user/.credentials.yaml

3. Stack Traces in Error Findings

# scanner.py:275-279
except Exception as e:
    if verbose:
        print(f"error ({type(e).__name__})")
    
    return Finding.error(assessor.attribute, reason=str(e))
    # str(e) may contain file paths, line numbers, sensitive data

4. Evidence Contains File Contents

# Findings may include sensitive file contents
evidence = [
    "Found ANTHROPIC_API_KEY in .env: sk-ant-xxxxx",
    "Database password in config.yaml: mypassword123"
]

Attack Vectors

1. Shared HTML Reports

User shares HTML report for collaboration:

<!-- Report contains: -->
<div>📁 /Users/jeremy/.ssh/config-repo</div>
<div>Command: agentready assess /secret/clients/acme-corp --config ~/.aws/credentials.yaml</div>

Reveals:

• Username (jeremy)
• Project structure (.ssh/, clients/)
• Configuration locations (~/.aws/)

2. Public GitHub Pages

User publishes report to GitHub Pages:

https://username.github.io/repo/report.html

Now indexed by Google, exposing all system paths.

3. Error Messages in CI Logs

Error during assessment: FileNotFoundError: /home/runner/work/secret-client-name/api-keys/production.yaml

Reveals:

• Client name
• Sensitive file locations
• System architecture

Security Impact

• Information disclosure: System paths, usernames, project structure
• Credential exposure: Config file locations, API key paths
• Privacy violation: User data in public reports
• Social engineering: System information aids targeted attacks

Remediation

Immediate Fix (P1)

1. Sanitize paths in reports:

# SECURITY: Path Sanitization - Remove sensitive info from reports
# Why: Reports may be shared publicly, exposing system structure
# Prevents: Information Disclosure (CWE-200)

def sanitize_path(path: Path) -> str:
    """Sanitize path for public display."""
    # Convert to relative path if possible
    try:
        cwd = Path.cwd()
        if path.is_relative_to(cwd):
            return str(path.relative_to(cwd))
    except (ValueError, RuntimeError):
        pass
    
    # Redact home directory
    home = Path.home()
    path_str = str(path)
    if path_str.startswith(str(home)):
        path_str = path_str.replace(str(home), "~")
    
    # Redact username
    import getpass
    username = getpass.getuser()
    path_str = path_str.replace(f"/{username}/", "/<user>/")
    path_str = path_str.replace(f"\\{username}\\", "\\<user>\\")
    
    return path_str

# Update Repository model
repository.path_display = sanitize_path(repository.path)

2. Sanitize command-line arguments:

# scanner.py:122-124
if command is None:
    # Reconstruct command, redacting sensitive args
    argv = sys.argv.copy()
    
    # Redact paths and config files
    for i, arg in enumerate(argv):
        if arg.startswith('--config'):
            argv[i+1] = '<config-file>'
        elif arg.startswith('/') or arg.startswith('~'):
            argv[i] = sanitize_path(Path(arg))
    
    command = " ".join(argv)

3. Sanitize error messages:

# SECURITY: Error Sanitization - Remove sensitive data from errors
# Why: Error messages may be logged or displayed publicly
# Prevents: Information Exposure Through Error Messages (CWE-209)

class SanitizedException(Exception):
    """Exception with sanitized message."""
    
    def __init__(self, original: Exception):
        self.original = original
        msg = str(original)
        
        # Redact paths
        msg = re.sub(r'/[\w/.-]+', '<path>', msg)
        msg = re.sub(r'C:\\[\w\\.-]+', '<path>', msg)
        
        # Redact API keys
        msg = re.sub(r'sk-ant-[a-zA-Z0-9-]+', 'sk-ant-***', msg)
        msg = re.sub(r'sk-[a-zA-Z0-9-]{20,}', 'sk-***', msg)
        
        # Redact email addresses
        msg = re.sub(r'[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}', '<email>', msg)
        
        super().__init__(msg)

# Update error handling
except Exception as e:
    sanitized = SanitizedException(e)
    return Finding.error(assessor.attribute, reason=str(sanitized))

4. Add privacy mode:

# Add --privacy flag to CLI
@click.option(
    "--privacy-mode",
    is_flag=True,
    help="Redact sensitive information from reports (paths, usernames, etc.)"
)
def assess(..., privacy_mode):
    config = Config(..., privacy_mode=privacy_mode)
    
# Update reporters to check privacy_mode
if assessment.config and assessment.config.privacy_mode:
    repository.path = sanitize_path(repository.path)
    metadata.command = "<redacted>"

5. Shorten commit hashes:

# Only show first 8 characters of commit hash
commit_hash = repo.head.commit.hexsha[:8]  # Instead of full hash

Additional Protections

1. Add report disclaimer:

   <div class="security-notice">
       ⚠️ This report may contain sensitive information. 
       Do not share publicly without review.
   </div>

2. Implement report encryption:

   # Optional: Encrypt sensitive sections of report
   from cryptography.fernet import Fernet
   
   # Encrypt repository metadata
   cipher = Fernet(key)
   encrypted_path = cipher.encrypt(str(repo.path).encode())

3. Add .gitignore for reports:

   # AgentReady reports may contain sensitive data
   .agentready/
   *.agentready.html
   agentready-report-*.json

References

• CWE-532: Information Exposure Through Log Files
• CWE-209: Information Exposure Through Error Messages
• OWASP Logging Cheat Sheet

Related Issues

• API key exposure in environment variables (SECURITY: API Key Exposure via Subprocess Environment Variables #55)
• XSS in HTML reports (SECURITY: Stored XSS in HTML Report via Unsanitized Repository Data #54)

[github-actions]

🎉 This issue has been resolved in version 1.12.4 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀