From fdb9620ac492a332084fd7f53f0acc2c396125a4 Mon Sep 17 00:00:00 2001 From: ArthurZhang Date: Wed, 1 Jul 2026 02:17:21 -0700 Subject: [PATCH] security(agent): redact Slack App-Level (xapp-) tokens The xapp-- format used by Slack App-Level / Socket Mode tokens was missing from both agent/redact.py prefix patterns and gateway/run.py gateway secret patterns, so SLACK_APP_TOKEN values could leak through to chat users even with security.redact_secrets enabled. Adds an anchored xapp-\d+- pattern to both redaction paths. --- agent/redact.py | 3 ++- gateway/run.py | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/agent/redact.py b/agent/redact.py index 81512b054..c917ceb5b 100644 --- a/agent/redact.py +++ b/agent/redact.py @@ -76,7 +76,8 @@ _PREFIX_PATTERNS = [ r"ghu_[A-Za-z0-9]{10,}", # GitHub user-to-server token r"ghs_[A-Za-z0-9]{10,}", # GitHub server-to-server token r"ghr_[A-Za-z0-9]{10,}", # GitHub refresh token - r"xox[baprs]-[A-Za-z0-9-]{10,}", # Slack tokens + r"xapp-\d+-[A-Za-z0-9-]{10,}", # Slack app-Level token + r"xox[baprs]-[A-Za-z0-9-]{10,}", # Slack bot/app/user tokens r"AIza[A-Za-z0-9_-]{30,}", # Google API keys r"pplx-[A-Za-z0-9]{10,}", # Perplexity r"fal_[A-Za-z0-9_-]{10,}", # Fal.ai diff --git a/gateway/run.py b/gateway/run.py index 84c429012..72c5fa9e3 100644 --- a/gateway/run.py +++ b/gateway/run.py @@ -147,6 +147,7 @@ _GATEWAY_RATE_LIMIT_RE = re.compile( _GATEWAY_SECRET_PATTERNS = ( re.compile(r"\bsk-[A-Za-z0-9][A-Za-z0-9_\-]{12,}\b"), re.compile(r"\bgh[pousr]_[A-Za-z0-9_]{20,}\b"), + re.compile(r"\bxapp-\d+-[A-Za-z0-9\-]{20,}\b"), re.compile(r"\bxox[baprs]-[A-Za-z0-9\-]{20,}\b"), re.compile(r"\bhf_[A-Za-z0-9]{20,}\b"), re.compile(r"\bglpat-[A-Za-z0-9_\-]{20,}\b"),