security: structural pattern bypasses in secret redaction (4 vectors)

[waynesun09]

Summary

Both the Python sandbox hook (secret_redact_posttool.py) and Go-side SecretRedactor (redactor.go) share four pattern bypasses that allow secrets to pass through unredacted. The patterns appear identical between both implementations.

Affected files

• internal/security/hooks/secret_redact_posttool.py:54-88
• internal/security/redactor.go:160-177

Bypass vectors

1. Lowercase environment variable names

Pattern: [A-Z_]*(?:SECRET|TOKEN|...) (line 59 / line 165) — uppercase only

Bypass: export my_token=s3cr3t_value_here — lowercase my_token doesn't match [A-Z_]*

Fix: Add (?i) flag or use [A-Za-z_]* for env var name prefix

2. Single-quoted JSON values

Pattern: "...(secret)..." (line 68 / line 166) — double quotes only

Bypass: {'api_key': 'sk-proj-actual-secret-value'} — single quotes not matched

Fix: Add single-quote variant '...' alongside double-quote pattern

3. Multiple @ in database connection strings

Pattern: ([^@\s]{8,})@ (line 84) / ([^@]{4,})@ (line 169) — stops at first @

Bypass: postgres://user:P@ssw0rd@host:5432/db — regex captures P not P@ssw0rd because it stops at the first @

Fix: Use ([^@\s]{4,}?)@[^@]*$ or similar to match against the last @ as the delimiter

4. Mixed-case environment variable names

Same root cause as #1 — My_Secret_Key=value bypasses the [A-Z_]* prefix requirement.

Severity

Medium — each bypass is individually exploitable. Combined they represent a significant gap in structural secret detection. Exploitable when agent tool output contains secrets in any of these formats.

Source

Fuzzer testing against sandbox hooks and Go security pipeline.

---

Reported by: @JimFuller-RedHat (via fuzzer testing)

[fullsend-ai-triage]

RICE Priority Score: 5.4

Score breakdown

Dimension	Score	Reasoning
Reach	2	Secret redaction is a platform-wide security feature protecting all users. Every org running fullsend-ai relies on this pipeline to prevent secret leakage in tool output. This is especially critical for guacsec (@mrizzi), where trust and safety are key adoption concerns. Scored 2 (most active users across orgs) since the redaction layer is universal infrastructure.
Impact	1.5	Each bypass vector is individually exploitable and allows real secrets to pass through unredacted in agent tool output. Combined, four vectors represent a significant gap in defense-in-depth. However, exploitation requires secrets to appear in specific formats (lowercase env vars, single-quoted JSON, multi-@ passwords), and the reporter rates severity as medium. Scored 1.5 (significant pain point) rather than 2 because these are partial bypasses of a defense layer, not a complete failure of core functionality.
Confidence	0.9	Very high confidence. The issue is exceptionally well-written: exact file paths and line numbers, concrete bypass examples with reproduction steps, root cause analysis, and suggested fixes. The scope is clearly bounded to regex patterns in two files. Scored 0.9.
Effort	0.5	The fixes are well-scoped regex pattern updates in exactly two files (secret_redact_posttool.py and redactor.go). The reporter provided specific fixes for each vector. No architectural changes, no new dependencies, no cross-component coordination. Scored 0.5 (simple, well-scoped change).

Formula: (2 × 1.5 × 0.9) / 0.5 = 5.4

[ifireball]

/triage

[ifireball]

/fs-triage

[fullsend-ai-triage]

Triage Summary

All four bypass vectors have been confirmed by inspecting the current source code in both secret_redact_posttool.py and redactor.go.

Confirmed Vectors

#	Vector	Root Cause	Files
1	Lowercase env var names	[A-Z_]* prefix excludes lowercase	Both
2	Single-quoted JSON values	Pattern only matches "..."	Both
3	Passwords with @ in DB URIs	[^@] splits on embedded @	Both
4	Mixed-case env var names	Same as #1	Both

Recommended Fix

Both files must be updated in lockstep:

1. Use [A-Za-z_]* (or case-insensitive flag) for the env var name prefix
2. Accept both single and double quotes in the JSON secret pattern
3. Rework the DB connection string regex to anchor on the last @ before the host portion

Proposed Test Cases

# For each bypass vector, add to both Python and Go test suites:
1. input: 'export my_token=s3cr3t_value_here'
   expect: 's3cr3t_value_here' is redacted

2. input: 'My_Secret_Key=hunter2abcdef'
   expect: value is redacted

3. input: "{'api_key': 'sk-p...'}"
   expect: value is redacted

4. input: 'postgres://user:P@ssw0rd@host:5432/db'
   expect: full password 'P@ssw0rd' is redacted

5. Regression: existing patterns still match correctly
6. Edge: empty/short passwords below minimum length do NOT match

Related Issues

Issue #444 covers a different bypass mechanism (zero-width character evasion) in the same redaction pipeline. The two issues are independent and can be fixed separately.

Severity: High — these are individually exploitable bypasses in a security-critical defense layer.

---

Labels: Security bug in secret redaction with confirmed bypass vectors; priority elevated to high given security implications.

[ifireball]

/fs-code