Secret leak: recorder start error response includes full Docker create payload (S3 keys, stream keys) #105

New issue

Closed

opened 2026-05-26 18:18:40 -04:00 by zgaetano · 1 comment

zgaetano commented 2026-05-26 18:18:40 -04:00

Owner

Copy link

Fixed in 04ce096. POST /recorders/:id/start no longer echoes createRes.data / startRes.data / remote sidecar response back to the client — full payload (with env vars) goes to the server log; the response carries a short, generic message.

Fixed in 04ce096. `POST /recorders/:id/start` no longer echoes `createRes.data` / `startRes.data` / remote sidecar response back to the client — full payload (with env vars) goes to the server log; the response carries a short, generic message.

zgaetano referenced this issue 2026-05-26 18:22:49 -04:00

Tracker: 2026-05-26 audit session — 27 bugs logged (#100-#127) #128

zgaetano commented 2026-05-26 19:30:07 -04:00

Author

Owner

Copy link

Fix Plan — #105 Secret leak in recorder start error response

Root cause: recorders.js:451 returns details: createRes.data (Docker API error echoes full request body including containerConfig.Env with S3_SECRET_KEY, STREAM_KEY, AMPP creds).

**Fix (2 steps):

1. Scrub error response — never forward raw internal error data:

// before:
return res.status(500).json({ error: "Failed to create container", details: createRes.data });

// after:
console.error("Docker create failed:", createRes.data);
return res.status(500).json({ error: "Failed to create container" });

2. Audit all details: fields — grep every route for details: responding with internal data. Replace with server-side logging + generic client message.

Files: src/routes/recorders.js:349-451, all route files
Effort: ~1h
**Priority: P0 — security

## Fix Plan — #105 Secret leak in recorder start error response **Root cause:** `recorders.js:451` returns `details: createRes.data` (Docker API error echoes full request body including `containerConfig.Env` with `S3_SECRET_KEY`, `STREAM_KEY`, AMPP creds). **Fix (2 steps): 1. **Scrub error response** — never forward raw internal error data: ```js // before: return res.status(500).json({ error: "Failed to create container", details: createRes.data }); // after: console.error("Docker create failed:", createRes.data); return res.status(500).json({ error: "Failed to create container" }); ``` 2. **Audit all `details:` fields** — grep every route for `details:` responding with internal data. Replace with server-side logging + generic client message. **Files:** `src/routes/recorders.js:349-451`, all route files **Effort:** ~1h **Priority: P0 — security

zgaetano referenced this issue 2026-05-26 19:42:16 -04:00

Tracker: 2026-05-26 audit session — 27 bugs logged (#100-#127) #128

zgaetano referenced this issue from a commit 2026-05-26 22:06:25 -04:00

chore: 1.2 ship-prep sweep — close 38 issues

zgaetano closed this issue 2026-05-26 22:09:27 -04:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

feat/playout-mcr

feat/user-permissions

feat/recorder-codec-bitrate

feat/hls-vod-playback

feat/uxp-plugin-swap

feat/nvenc-hevc-ingest

feat/all-intra-hevc-ingest

redesign/panel-icon-rail

feat/premiere-installer

feat/youtube-importer

fix/library-and-signal-indicator

fix/srt-rtmp-thumbnail

v0.phase1-editor

Labels

Clear labels   

bug

Bug report

  

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

invalid

Something is wrong

  

question

More information is needed

  

wontfix

This won't be fixed

No labels

bug

bug

duplicate

enhancement

help wanted

invalid

question

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: WildDragonLLC/dragonflight#105

No description provided.