🛡️ Sentinel: [security improvement] Fix masking of undefined/empty secrets in server API

[Dexploarer]

🚨 Severity: MEDIUM
💡 Vulnerability: The maskValue function in src/api/server.ts threw errors or inadequately redacted values when passed falsy/undefined values due to an unsafe length check.
🎯 Impact: Minor Denial of Service or log leak if unexpected config structures reach redaction utilities.
🔧 Fix: Added nullish/falsy checks mirroring the secure maskSecret implementation.
✅ Verification: Tested via manual scripts, Biome linting, and the existing vitest test suite.

---

PR created automatically by Jules for task 18362626271800512462 started by @Dexploarer

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c11ce61c-2c2e-4225-972a-8af35cb7e4e0

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sentinel-fix-mask-value-18362626271800512462

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates the maskValue function in src/api/server.ts to include a check for null or empty values before masking. Feedback suggests further improving security and robustness by increasing the masking threshold to 16 characters, adding an explicit string type check, and returning an empty string for missing inputs to avoid misleading redaction markers.

[gemini-code-assist]

The current masking logic reveals 8 characters (4 at the start and 4 at the end). For secrets that are only slightly longer than the threshold (e.g., 9 to 12 characters), this reveals almost the entire sensitive value (e.g., 8 out of 9 characters), which constitutes inadequate redaction.

Additionally, while the !value check prevents a crash on nullish inputs, returning **** for a missing value can be misleading as it implies a secret is configured when it is not.

Furthermore, to fully address the risk of "unexpected config structures" causing a Denial of Service (as mentioned in the PR description), it is safer to explicitly check that value is a string before accessing .length or .slice().

Consider increasing the threshold to at least 16 characters and returning an empty string for non-string or empty inputs.

Suggested change

	if (!value || value.length <= 8) return "****";
	if (typeof value !== "string" || !value) return "";
	if (value.length <= 16) return "****";