Skip to content

Hide rpc headers when debug tracing the network.#2442

Merged
fnando merged 2 commits into
mainfrom
conceal-headers-network-debug
Mar 10, 2026
Merged

Hide rpc headers when debug tracing the network.#2442
fnando merged 2 commits into
mainfrom
conceal-headers-network-debug

Conversation

@fnando
Copy link
Copy Markdown
Member

@fnando fnando commented Mar 10, 2026

What

$ STELLAR_RPC_HEADERS=a:1 STELLAR_RPC_URL=http://localhost:8000/rpc STELLAR_NETWORK_PASSPHRASE="Standalone Network ; February 2017" stellar contract invoke --id hello --very-verbose -- hello --from fnando
2026-03-10T18:15:01.317066Z DEBUG soroban_cli::upgrade_check: start upgrade check
2026-03-10T18:15:01.317055Z TRACE soroban_cli::commands::contract::invoke: network=Network { rpc_url: "http://localhost:8000/rpc", rpc_headers: [("a", "<concealed>")], network_passphrase: "Standalone Network ; February 2017" }
2026-03-10T18:15:01.317228Z DEBUG soroban_cli::upgrade_check: finished upgrade check
2026-03-10T18:15:01.317401Z TRACE soroban_cli::get_spec: network=Network { rpc_url: "http://localhost:8000/rpc", rpc_headers: [("a", "<concealed>")], network_passphrase: "Standalone Network ; February 2017" }
...

Why

https://hackerone.com/reports/3596218

Known limitations

N/A

@fnando fnando requested review from a team and leighmcculloch March 10, 2026 18:17
@fnando fnando self-assigned this Mar 10, 2026
Copilot AI review requested due to automatic review settings March 10, 2026 18:17
@github-project-automation github-project-automation Bot moved this to Backlog (Not Ready) in DevX Mar 10, 2026
Copilot AI reviewed Mar 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR prevents sensitive RPC header values (e.g., API keys / Authorization tokens) from being exposed in trace/debug logs by customizing how Network is formatted for Debug.

Changes:

  • Remove the derived Debug implementation from Network.
  • Add a manual Debug impl that prints RPC header values as "<concealed>".
  • Add a unit test asserting the redacted debug output format.

@fnando fnando enabled auto-merge (squash) March 10, 2026 22:23
@fnando fnando merged commit aac2016 into main Mar 10, 2026
176 of 190 checks passed
@fnando fnando deleted the conceal-headers-network-debug branch March 10, 2026 22:32
@github-project-automation github-project-automation Bot moved this from Backlog (Not Ready) to Done in DevX Mar 10, 2026
@BrewTestBot BrewTestBot mentioned this pull request Mar 11, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@leighmcculloch leighmcculloch leighmcculloch approved these changes

Assignees

@fnando fnando

Labels

None yet

Projects

DevX
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fnando @leighmcculloch