Security: Fix credential exposure and improve input sanitization#47
Open
trek-e wants to merge 4 commits intoDarklyter:mainfrom
Open
Security: Fix credential exposure and improve input sanitization#47trek-e wants to merge 4 commits intoDarklyter:mainfrom
trek-e wants to merge 4 commits intoDarklyter:mainfrom
Conversation
- STACK.md - Technologies and dependencies - ARCHITECTURE.md - System design and patterns - STRUCTURE.md - Directory layout - CONVENTIONS.md - Code style and patterns - TESTING.md - Test structure - INTEGRATIONS.md - External services - CONCERNS.md - Technical debt and issues
Fixes Darklyter#15 The INCLUDES query template had extra wrapper quotes around the filename placeholder, causing searches to look for `"filename"` (with literal quotes) instead of just `filename`. This broke matching for files with mixed quote types (apostrophes and double quotes). Removed the wrapper `\"` quotes from the INCLUDES query to match how the EQUALS query works.
Fixes Darklyter#29 When a scene has no studio set in Stash (studio: null), the FormattedTitle function would crash with TypeError when trying to access data['studio']['name']. Added null check to gracefully handle scenes without studios - the {studio} placeholder will simply be empty in the formatted title.
- Add redact_sensitive_params() to mask API keys and tokens in debug logs - Use os.environ.get() for PLEXTOKEN to prevent crash when not set - Escape backslashes in GraphQL queries to prevent injection - Add missing image fields to gallery GraphQL query Fixes potential security issues: - API keys were logged in plaintext when debug mode enabled - Plex tokens were logged in plaintext in section/rate requests - Missing PLEXTOKEN caused unhandled exception - Filenames with backslashes could cause GraphQL parsing issues Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
redact_sensitive_params()helper to mask API keys and Plex tokens in debug logsos.environ['PLEXTOKEN']toos.environ.get('PLEXTOKEN')with proper error handlingimages{id,title,file{width,height}}fields to gallery GraphQL querySecurity Issues Addressed
apikey=REDACTEDX-Plex-Token=REDACTED\before"Test plan
REDACTEDin logsREDACTED🤖 Generated with Claude Code