Skip to content

Security: API key visible in process listing via CLI argument #101

Description

@mantono

Description

The API key can be passed as a CLI argument (-K / --api-key) as defined in src/cfg.rs:34. CLI arguments are visible to any user on the system via ps aux or /proc/*/cmdline.

While the API key can also be passed via the API_KEY environment variable (which is somewhat safer), the CLI flag makes it easy to accidentally expose the secret.

Severity

Low

Suggested Fix

Consider deprecating the CLI flag in favor of environment-variable-only configuration, or at minimum document the risk prominently.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions