From 8093ebd6f7dc0b67bc0b3dde178963dbede17e6d Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Tue, 17 Mar 2026 08:07:07 +0000 Subject: [PATCH 1/2] shield: sentinel: prevent jwt token leakage in error parameters Removed the `token` field from `INVALID_OR_EXPIRED_JWT_TOKEN` error parameters in both `activepieces-error.ts` and `connection-key.service.ts`. This ensures that even invalid or expired JWT tokens are not echoed back to the client by the global error handler, minimizing sensitive information disclosure. - Updated `InvalidJwtTokenErrorParams` type to `Record`. - Removed token passing in `connection-key.service.ts`. - Documented finding in `.jules/sentinel.md`. Co-authored-by: AGI-Corporation <186229839+AGI-Corporation@users.noreply.github.com> --- .jules/sentinel.md | 4 ++++ .../src/app/ee/connection-keys/connection-key.service.ts | 8 ++------ packages/shared/src/lib/common/activepieces-error.ts | 4 +--- 3 files changed, 7 insertions(+), 9 deletions(-) create mode 100644 .jules/sentinel.md diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 0000000000..3d1fb99352 --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,4 @@ +## 2026-03-17 - Sensitive Token Leakage in Error Responses +**Vulnerability:** The `INVALID_OR_EXPIRED_JWT_TOKEN` error was including the full JWT token in its `params`, which the global `errorHandler` then echoed back to the client. +**Learning:** Even invalid or expired tokens can reveal sensitive information about the system's token structure or authentication mechanisms. Global error handlers that serialize all error parameters can unintentionally leak sensitive data. +**Prevention:** Sanitize error parameters at the source or in the global error handler. Ensure that error parameter types in `activepieces-error.ts` do not include fields that might contain secrets or tokens. diff --git a/packages/server/api/src/app/ee/connection-keys/connection-key.service.ts b/packages/server/api/src/app/ee/connection-keys/connection-key.service.ts index 86efae473a..ad94b1287d 100644 --- a/packages/server/api/src/app/ee/connection-keys/connection-key.service.ts +++ b/packages/server/api/src/app/ee/connection-keys/connection-key.service.ts @@ -46,9 +46,7 @@ export const connectionKeyService = (log: FastifyBaseLogger) => ({ if (connectionName == null) { throw new ActivepiecesError({ code: ErrorCode.INVALID_OR_EXPIRED_JWT_TOKEN, - params: { - token, - }, + params: {}, }) } const connection = await appConnectionService(log).getOne({ @@ -74,9 +72,7 @@ export const connectionKeyService = (log: FastifyBaseLogger) => ({ if (connectionName == null) { throw new ActivepiecesError({ code: ErrorCode.INVALID_OR_EXPIRED_JWT_TOKEN, - params: { - token: request.token, - }, + params: {}, }) } diff --git a/packages/shared/src/lib/common/activepieces-error.ts b/packages/shared/src/lib/common/activepieces-error.ts index 0805b4144c..59fa72139f 100755 --- a/packages/shared/src/lib/common/activepieces-error.ts +++ b/packages/shared/src/lib/common/activepieces-error.ts @@ -278,9 +278,7 @@ ErrorCode.FLOW_IN_USE, export type InvalidJwtTokenErrorParams = BaseErrorParams< ErrorCode.INVALID_OR_EXPIRED_JWT_TOKEN, -{ - token: string -} +Record > export type TestTriggerFailedErrorParams = BaseErrorParams< From 6bf8c11370d6fde8236360add0108beb8793b74c Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Tue, 17 Mar 2026 08:22:19 +0000 Subject: [PATCH 2/2] shield: sentinel: prevent jwt token leakage in error parameters Removed the `token` field from `INVALID_OR_EXPIRED_JWT_TOKEN` error parameters in both `activepieces-error.ts` and `connection-key.service.ts`. This ensures that even invalid or expired JWT tokens are not echoed back to the client by the global error handler, minimizing sensitive information disclosure. - Updated `InvalidJwtTokenErrorParams` type to `Record`. - Removed token passing in `connection-key.service.ts`. - Documented finding in `.jules/sentinel.md`. Co-authored-by: AGI-Corporation <186229839+AGI-Corporation@users.noreply.github.com>