From d1cfb548044fc3fb072260b3742b31623a19a638 Mon Sep 17 00:00:00 2001
From: Dexploarer <211557447+Dexploarer@users.noreply.github.com>
Date: Tue, 28 Apr 2026 01:17:34 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[security?=
 =?UTF-8?q?=20improvement]=20Fix=20masking=20of=20undefined/empty=20secret?=
 =?UTF-8?q?s=20in=20server=20API?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

🚨 Severity: MEDIUM
💡 Vulnerability: The `maskValue` function in `src/api/server.ts` threw errors or inadequately redacted values when passed falsy/undefined values due to an unsafe `length` check.
🎯 Impact: Minor Denial of Service or log leak if unexpected config structures reach redaction utilities.
🔧 Fix: Added nullish/falsy checks mirroring the secure `maskSecret` implementation.
✅ Verification: Tested via manual scripts, Biome linting, and the existing vitest test suite.
---
 src/api/server.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/api/server.ts b/src/api/server.ts
index c277040870..a5d9de53b1 100644
--- a/src/api/server.ts
+++ b/src/api/server.ts
@@ -630,7 +630,7 @@ interface PluginIndex {
 }
 
 function maskValue(value: string): string {
-  if (value.length <= 8) return "****";
+  if (!value || value.length <= 8) return "****";
   return `${value.slice(0, 4)}...${value.slice(-4)}`;
 }