Skip to content

[Aikido] Remove APIToken from CollectorConfig to prevent unauthenticated credential disclosure#81

Open
aikido-autofix[bot] wants to merge 1 commit into
mainfrom
fix/code-audit-50942237-urdz
Open

[Aikido] Remove APIToken from CollectorConfig to prevent unauthenticated credential disclosure#81
aikido-autofix[bot] wants to merge 1 commit into
mainfrom
fix/code-audit-50942237-urdz

Conversation

@aikido-autofix

Copy link
Copy Markdown
Contributor

This patch addresses a critical security vulnerability where live bearer API tokens were being exposed through unauthenticated access to the /sbom-collector/config endpoint. The APIToken field has been removed from the CollectorConfig struct in pkg/models/collector_config.go and its population has been eliminated from the HandleGetCollectorConfig service method in internal/services/sbom/sbom.go. These changes ensure that sensitive authentication credentials are no longer transmitted in API responses, mitigating the risk of unauthorized API access through token disclosure.

…prevent exposure of bearer tokens via the /sbom-collector/config endpoint.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants