mirror of https://github.com/openclaw/openclaw.git
7fab4d128a
* fix(security): redact sensitive data in OTEL log exports (CWE-532) The diagnostics-otel plugin exports ALL application logs to external OTLP collectors without filtering. This leaks API keys, tokens, and other sensitive data to third-party observability platforms. Changes: - Export redactSensitiveText from plugin-sdk for extension use - Apply redaction to log messages before OTEL export - Apply redaction to string attribute values - Add tests for API key and token redaction The existing redactSensitiveText function handles common patterns: - API keys (sk-*, ghp_*, gsk_*, AIza*, etc.) - Bearer tokens - PEM private keys - ENV-style assignments (KEY=value) - JSON credential fields Fixes #12542 * fix: also redact error/reason in trace spans Address Greptile feedback: - Redact evt.error in webhook.error span attributes and status - Redact evt.reason in message.processed span attributes - Redact evt.error in message.processed span status * fix: handle undefined evt.error in type guard * fix: redact session.state reason in OTEL metrics Addresses Greptile feedback - session.state reason field now goes through redactSensitiveText() like message.processed reason. * test(diagnostics-otel): update service context for stateDir API change * OTEL diagnostics: redact sensitive values before export * OTEL diagnostics tests: cover message, attribute, and session reason redaction * Changelog: note OTEL sensitive-data redaction fix * Changelog: move OTEL redaction entry to current unreleased --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org> |
||
|---|---|---|
| .. | ||
| bluebubbles | ||
| copilot-proxy | ||
| device-pair | ||
| diagnostics-otel | ||
| discord | ||
| feishu | ||
| google-gemini-cli-auth | ||
| googlechat | ||
| imessage | ||
| irc | ||
| line | ||
| llm-task | ||
| lobster | ||
| matrix | ||
| mattermost | ||
| memory-core | ||
| memory-lancedb | ||
| minimax-portal-auth | ||
| msteams | ||
| nextcloud-talk | ||
| nostr | ||
| open-prose | ||
| phone-control | ||
| qwen-portal-auth | ||
| shared | ||
| signal | ||
| slack | ||
| synology-chat | ||
| talk-voice | ||
| telegram | ||
| test-utils | ||
| thread-ownership | ||
| tlon | ||
| twitch | ||
| voice-call | ||
| zalo | ||
| zalouser | ||