Skip to content

🛡️ Sentinel: [CRITICAL] Fix hardcoded API keys in fallback array #138

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Cukurikik wants to merge 1 commit into
base: main
Choose a base branch
from
Open

🛡️ Sentinel: [CRITICAL] Fix hardcoded API keys in fallback array #138

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,7 @@
**Vulnerability:** Raw error objects from FFmpeg and browser APIs (`error.message` and `console.error`) were being rendered directly in the user interface and browser console.
**Learning:** Returning unhandled exception messages to the client risks exposing internal stack traces, system paths, and unexpected framework vulnerabilities to potential attackers.
**Prevention:** Catch error blocks should log a sanitized version of the error or omit sensitive details, while the state presented to the user should be a generic, friendly, and secure fallback message (e.g. "Processing failed securely").
## 2024-05-24 - Remove hardcoded API keys from fallback array
**Vulnerability:** Hardcoded API keys for Alibaba Cloud (`sk-baadd0ecc39547d68b00872b10f95e87` and `sk-4be34075ee564d4d85fd6357f70898e2`) were present in `src/app/api/ai/route.ts` as fallback options.
**Learning:** Developers sometimes hardcode secrets temporarily to bypass rate limits or ensure fallback functionality without setting up proper environment variables. This exposes the secrets in source control.
**Prevention:** Always use environment variables for sensitive data like API keys. Enforce secrets scanning in pre-commit hooks and CI pipelines to prevent accidental commits of hardcoded credentials.
Comment on lines +5 to +8
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Critical: Do not commit the actual API key values in documentation.

The sentinel entry includes the plaintext API keys (sk-baadd0ecc39547d68b00872b10f95e87 and sk-4be34075ee564d4d85fd6357f70898e2) that were removed from route.ts. This completely undermines the security fix—anyone with repository access can still read these credentials from sentinel.md, and they will remain in git history permanently.

Redact or mask the keys in the documentation.

🔒 Proposed fix to redact the keys 
 ## 2024-05-24 - Remove hardcoded API keys from fallback array
-**Vulnerability:** Hardcoded API keys for Alibaba Cloud (`sk-baadd0ecc39547d68b00872b10f95e87` and `sk-4be34075ee564d4d85fd6357f70898e2`) were present in `src/app/api/ai/route.ts` as fallback options.
+**Vulnerability:** Hardcoded API keys for Alibaba Cloud (prefixed `sk-...`) were present in `src/app/api/ai/route.ts` as fallback options.
 **Learning:** Developers sometimes hardcode secrets temporarily to bypass rate limits or ensure fallback functionality without setting up proper environment variables. This exposes the secrets in source control.
 **Prevention:** Always use environment variables for sensitive data like API keys. Enforce secrets scanning in pre-commit hooks and CI pipelines to prevent accidental commits of hardcoded credentials.

Important: Even after this fix, the exposed keys should be rotated/revoked immediately if they haven't been already, since they were previously committed to version control.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
## 2024-05-24 - Remove hardcoded API keys from fallback array
**Vulnerability:** Hardcoded API keys for Alibaba Cloud (`sk-baadd0ecc39547d68b00872b10f95e87` and `sk-4be34075ee564d4d85fd6357f70898e2`) were present in `src/app/api/ai/route.ts` as fallback options.
**Learning:** Developers sometimes hardcode secrets temporarily to bypass rate limits or ensure fallback functionality without setting up proper environment variables. This exposes the secrets in source control.
**Prevention:** Always use environment variables for sensitive data like API keys. Enforce secrets scanning in pre-commit hooks and CI pipelines to prevent accidental commits of hardcoded credentials.
## 2024-05-24 - Remove hardcoded API keys from fallback array
**Vulnerability:** Hardcoded API keys for Alibaba Cloud (prefixed `sk-...`) were present in `src/app/api/ai/route.ts` as fallback options.
**Learning:** Developers sometimes hardcode secrets temporarily to bypass rate limits or ensure fallback functionality without setting up proper environment variables. This exposes the secrets in source control.
**Prevention:** Always use environment variables for sensitive data like API keys. Enforce secrets scanning in pre-commit hooks and CI pipelines to prevent accidental commits of hardcoded credentials.
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md around lines 5 - 8, Open the sentinel entry and remove
the plaintext API keys by replacing the two literal strings
(sk-baadd0ecc39547d68b00872b10f95e87 and sk-4be34075ee564d4d85fd6357f70898e2)
with masked placeholders (e.g. [REDACTED] or sk-*****), update the text to state
the keys were redacted from the document, and add a short note advising
immediate key rotation/revocation if not already done; search for those exact
strings in the repository to ensure no other docs contain the secrets and redact
any occurrences.

4 changes: 1 addition & 3 deletions src/app/api/ai/route.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,7 @@ import { NextRequest } from "next/server";
import { DASHSCOPE_MODELS, getAllModelIds, getApiEndpoint } from "@/lib/ai-models";

const FALLBACK_KEYS = [
process.env.ALIBABA_CLOUD_API_KEY,
"sk-baadd0ecc39547d68b00872b10f95e87", // Secondary key
"sk-4be34075ee564d4d85fd6357f70898e2" // Tertiary key
process.env.ALIBABA_CLOUD_API_KEY
].filter(Boolean) as string[];

const GEMINI_FALLBACK_KEYS = [
Expand Down
Loading